1

I want to know if that's possible for someone to create a automation script to send some kind of random form data to my PHP script which simply inserts received form data into the MySQL Database? Will the data get inserted and how can we secure it?

Example: I have a example.com/signup.php script which inserts the form data received into the MySQL Database. Is it possible for someone to send the form data to the example.com/signup.php script from a different host, like maybe localhost or domain-name.com?

For example can someone create some kind of this code like the below one and keep on inserting data here on http://www.domain-name.com/signup.php instead of inserting on http://www.example.com/signup.php and will the inserted data when submitted will get inserted into the database?

<form action="http://www.example.com/signup.php">
    <input type="text" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <button type="submit" name="signup-btn">Signup!</button>
</form>

So this way the database can get full if there's bot doing this...

Coder Amogh
  • 145
  • 1
  • 10
  • 6
    You should read up on [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). That will explain how it can be done (by basically just posting directly to your `/signup.php`-script). Then, when you've read through it, search for some library that helps you with that. There are plenty if you search for them. – M. Eriksson Jun 25 '19 at 13:50
  • Possible duplicate of [Only accept AJAX $\_GET or $\_POST requests from specific page](https://stackoverflow.com/questions/23533003/only-accept-ajax-get-or-post-requests-from-specific-page) –  Jun 25 '19 at 13:50
  • Hi, I will let you know if I have any more questions. Thank you all! – Coder Amogh Jun 25 '19 at 14:20
  • @MagnusEriksson so, how can I validate that the request was made with my, in this case example.com only and not other domain? What's the PHP code for it? – Coder Amogh Jun 25 '19 at 14:28
  • 1
    It can be solved by using a csrf-token. The basics are: the first time you load a page with a form, you generate a random token which you put in the session. Then in the form, you add that token in a hidden input. When the form is submitted, you check if the token you got matches the one in the session. If not, then the call didn't come from your site. As mentioned, there are many very good libraries that makes this very easy to implement. Go to packagist.org and search for "csrf" and make your pick. – M. Eriksson Jun 25 '19 at 14:34
  • 2
    When it comes to security, it's usually better (and recommended) to use a tried and tested library instead of rolling your own solution. Even theoretically "easy" solutions can be tricky to get 100% correct (which you want when talking security), – M. Eriksson Jun 25 '19 at 14:35

1 Answers1

0

i am new on stackoverflow, i m not much familiar with stackoverflow editor

you can set a specific token inside the form

first set a token session on top of the form page

<?php
  session_start();
  $token = rand();
  $_SESSION['token'] = $token;
?>

<html>
  <body>
    <form action="http://www.example.com/signup.php">
     <input type="hidden" name="token" value="<?php echo $_SESSION['token'] ?>">
        <input type="text" name="username" placeholder="Username">
        <input type="password" name="password" placeholder="Password">
        <button type="submit" name="signup-btn">Signup!</button>
    </form>
  </body>
</html>

signup.php

  <?php
session_start();
      if(isset($_POST['token']) && $_POST['token'] == $_SESSION['token'])
      {
        //piece of codes to insert into database
        
        }
else{
 echo "<script>window.location = 'example.com'</script>";
}
      ?>
Sachin Maurya
  • 5
  • 3