3

I have a PHP service called addItem.
This service is called when someone submit a form on the client side.

How can I secure that to make sure that an item will only be added when called from the intended form?
Trying to prevent someone from submitting stuff through automated curl call for example.

Thank you,
Tee

teepusink
  • 27,444
  • 37
  • 107
  • 147

2 Answers2

4

Short answer is that you can't. As long as the form is accessible, any method you use to secure the form can be tackled in an automated way. You should never count on data sent by the user to be secure. However, there are a few things you can do to make things more challenging for anyone wanting to spoof your form.

  • Add a CAPTCHA which will probably filter out nearly all scripted submission, but also have the greatest negative impact on regular users.
  • Employ some form of CSRF protection (which you should have anyway). This will mean that anyone wanting to submit data via the form must request the form first. If this form is only accessible behind a login wall, this will make things quite challenging.
  • If you already require your users to have Javascript, try using JS when setting up a key for CSRF protection. This means that the JS must be parsed or executed in order to submit a valid form.
  • Filter common user agents such as cURL and wget.
  • Check that the form was sent via POST and not GET.
  • Add rate limiting on the server to throttle submissions to a reasonable level.
  • Check the HTTP referrer. Easily faked, but one more hoop to jump through.

Ultimately, if someone wants to submit data to your form through some other means, it's still ALWAYS possible. The above steps can make it more challenging, but any action that can be taken by the user can always be scripted, so make sure to have appropriate validation on the server side.

Michael Mior
  • 28,107
  • 9
  • 89
  • 113
  • Atlassian, for instance, uses a XSRF token (`atl_token`) for each request that eventually times out. http://confluence.atlassian.com/display/JIRA/Form+Token+Handling – Jared Farrish Jul 01 '11 at 22:10
2

This post has a great answer: CSRF (Cross-site request forgery) attack example and prevention in PHP

The basic idea is that you want to generate some form element in the form with a random number and make sure that the form sends back that same element. Example:

<form ...>
    <input name="csrf_dfjfi4i4i4k3" value="csrf_dfjfi4i4i4k3" type="hidden" />

Now when you receive the post make sure the element exists and the value is the same as the name.

Community
  • 1
  • 1
Abdullah Jibaly
  • 53,220
  • 42
  • 124
  • 197
  • Deliberate scripted submissions are different from a CSRF attack. Although I cited CSRF protection in my answer as well, this really doesn't do much in the way of security. – Michael Mior Jul 01 '11 at 22:13
  • The OP's question is a little vague on that, I understood that he wanted to make sure that the form was read before being submitted which this accomplished. Could be that you're right though. – Abdullah Jibaly Jul 01 '11 at 22:18