-1

what is the best way to tell my server side script that the submitted form or data is coming from a trusted source or from my website? Am already performing alot of server side data scrutinize, and think i can improve this more with the client side too

AM a php/mysql developer

skaffman
  • 398,947
  • 96
  • 818
  • 769
Smith
  • 5,765
  • 17
  • 102
  • 161
  • possible duplicate of [PHP form tokens](http://stackoverflow.com/questions/2034281/php-form-tokens) – bzlm Feb 13 '11 at 19:34
  • guys my question is "cheking weather data received at the server is from a valid source" not "check data for proper form" – Smith Feb 14 '11 at 09:13

6 Answers6

1

To find out the IP of the user who posted the data use:

$ip = $_SERVER['REMOTE_ADDR'];
echo "<b>IP Address= $ip</b>";

According to the IP you can decide whether the user is trusted or not. (for instance if you'd like to trust only a special range of IP-addresses)

Whenever I read posted variables in PHP I use to filter them like that:

function check_string($string) {      
    // allowed chars: a-z,A-Z,0-9,-,_      
    if((preg_match('/^[a-zA-Z0-9\-\_]+$/',$string))) 
    return true;   
    return false;   
}

It would filter all chars which are not a-z, A-Z, 0-9,- or _ and enhances the sites security a little bit. If you've access to your webserver:

  • Disable server banners (which display OS and apache version for instance), if you have access to the webservers configuration. This information can be very useful for hackers, and you want to disable everything which could help them in any way ;)

  • Prevent directory listing (for instance with .htaccess files). A simple example would be:

    Options All -Indexes

  • Run the webserver with a limited user account (best would be to chroot the user as well)

beta
  • 2,583
  • 15
  • 34
  • 46
1

Use mysql_real_escape_string in mysql queries and use htmlentities in html posts.

Example:

Wrong:

<?php
if($_SERVER['REQUEST_METHOD'] == "post"){
    echo $_POST['hai'];
}
?>

right:

<?php
if($_SERVER['REQUEST_METHOD'] == "post"){
    echo htmlentities($_POST['hai']);
}
?>

$_POST can also be $_GET

wrong:

<?php
$query = "SELECT * FROM table WHERE msg = '". $_GET['hai'] ."'";
?>

right:

<?php
$query = "SELECT * FROM table WHERE msg = '". mysql_real_escape_string($_GET['hai']) ."'";
?>

And don't forget to use htmlentities when you get things out of the mysql table...

Greetings

Thew
  • 15,789
  • 18
  • 59
  • 100
  • This does not seem to address the issue of whether "submitted form or data is coming from a trusted source or from my website". Pro tip, though. – bzlm Feb 13 '11 at 19:59
0

I've always used a class that handled such issues, it would handle both server/client side and ensure that any input was made from the server itself. It would then validate and ensure it is not given special characters.

http://validformbuilder.org/

Let me know if that helps, it helped me a while ago. :)

BGPHiJACK
  • 1,277
  • 1
  • 8
  • 16
0

I think the best option would be adding a digital signature to requests, even a simple one.

For example your site or the trusted source add the SHA checksum of the request computing it after the addition of a secret "salt" (that is not sent). The server gets the data, adds the same salt and computes the SHA signature, if the SHA matches then the source knew the secret and you can trust the content.

6502
  • 112,025
  • 15
  • 165
  • 265
0

I guess your question implies CSRF... Just generate and add a validation token.

Many frameworks can manage these for you.

PJK
  • 2,082
  • 3
  • 17
  • 28
-1

Guys, thanks for your help i appreciate it all. Generally i was talking about client side security ie making sure data coming from the client is from original source.

Generally SSL might just have been the answer, after a lot of browsing i found two sites that solves this issue to an extent: aSSL ,and Jquery implementation

This way my data is secured up to a level say 90%

what do you think?

Smith
  • 5,765
  • 17
  • 102
  • 161