I have a very limited understanding of PHP, as well as the internet for that matter. I'm wondering if someone could simply send a POST request to my PHP script (assuming its public). Wouldn't that have the potential to mess up my entire script?
Asked
Active
Viewed 186 times
0
-
3yes they could. – Feb 01 '18 at 01:18
-
1Yes, anybody can send a POST request (or HEAD, or GET, PUT, etc...) to a public url, PHP or not. I do not know what does it mean to "mess up" your script. – Theraot Feb 01 '18 at 01:18
-
It could only really 'mess up' your script, if you write your script in a way that blindly takes every post arg and attempts to do something with it. Just don't *do that*. – IncredibleHat Feb 01 '18 at 01:26
-
@rtfm is quite right. Include your script in your question and let us see what you're trying to achieve. You can use PHP to ignore POST input if required. – nickhar Feb 01 '18 at 01:50
2 Answers
3
Answer: YES.
The end.
I think this question comes from some security concerns that are not being worded.
First off, know you can check the request method (a.k.a HTTP verb) with $_SERVER['REQUEST_METHOD'].
Second, you can send HTTP request from the browser, or from other software with whatever request method, to whatever public server (read: reachable on the network). And yes, you can handle other things aside from GET and POST in PHP.
I have found the browser extension "Requestly" useful for testing.
You might be interested in Cross-Site Request Forgery and Cross-Site Scripting.
Let us talk mitigation...
It should be evident... but: validate all input. Do not trust that the input comes from a well intended user of your own site.
After validation, it could be necesary to have a sanitation step. For example, if you are going to display the values you got from a request to your users, sanitize the input so it does not contain HTML code. By doing so, you are preventing the attacker to inject potentially dangerous code in your page (being the classic example, injecting javascript).
You probably know this already also, however: Use prepared statements. If you are sending the data you got from a request to the database, using prepared statements will protect you from SQL injection.
Yes, I know the question is not about javascript or SQL injection. However Injection reminds the most common vulnerability according to OWASP TOP 10 and people who wonder if third party can make requests to their page is the kind of people who needs to be told this.
Alright, next up, you need to know if the request comes from an authenticated user. Again, you are probably doing this already, use sessions. What you might not know is that PHP session cookie is not HTTP only by default, meaning that it could be stolen on the client (see Session Hijacking). To fix that use ini_set('session.cookie_httponly', 1);.
Now, of course, the cookie could be stolen from a Man In the Middle attack, which brings me to: use HTTPS. You can get an free SSL certificate to set up HTTPS in your hosting from Let's Encrypt, if you are new to this, I suggest using ZeroSSL which will make it easy to get a certificate and uses Let's Encrypt behind the scenes.
Finally, there are scenarios where you need to make sure the request does not come from a malicius party and you cannot depend on a session being open. In this situation you need to issue a token associated with an specific action, and only allow the action to proceed if the token is presented... for example, if the user wants to recover access (forgot password) you can send a link with a token to their email account, and if the email is presented (and optionally if a captcha is resolved) you allow the user to set a new password.
I hope I do not need to tell you How NOT to Store Passwords!.
For more information see OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
Sachin Jain
- 21,353
- 33
- 103
- 168
Theraot
- 31,890
- 5
- 57
- 86
-
Thanks for this very detailed response, have used this many times to help secure my projects. I always appreciate when someone takes the time to explain these concepts in detail. – Sevy Apr 25 '18 at 02:34
0
I'm wondering if someone could simply send a POST request to my PHP script (assuming its public).
Yes, though not via XHR/fetch from a modern browser if you haven't allowed CORS. (This doesn't stop a regular form on another web page posting to your script.)
Wouldn't that have the potential to mess up my entire script?
How so? You're responsible for properly handling anything posted to you.
tremby
- 9,541
- 4
- 55
- 74
-
3CORS only protects against AJAX requests. Someone could create an HTML form that posts to his script. – Barmar Feb 01 '18 at 01:18
-