Stopping a submit when a request fake request is sent to the backend

Question

My issue that I encountered here is when I send a request with parameters to my PHP back-end it would act as a form was submitted and would send a false submission. I use AJAX to communicate with the front and back-end and the code I use is:

$(document).ready(function () {
    $("#submitmsg").click(function () {
        var usrmsg = $("#Text").val();
        var username = localStorage.getItem("user")
        $.post("send.php", { text: usrmsg,user: username,},
            function(result){ });
        $("#Text").val("");
        return false;
   });
});

in my backend where it gets the request is

$username = $_POST['user']; 
$text = $_POST['text'];

score 0 · Accepted Answer · edited May 06 '22 at 06:38

0

This will prevent Cross-Site Scripting

When your page loads, save a token in a session / cookie / database.

$_SESSION['token'] = md5(uniqid(mt_rand(), true));

In your AJAX call pass that same token to send.php:

{ text: usrmsg,user: username, token: token_generated }

In send.php just check the tokens match

if ($_POST['token'] != $_SESSION['token']) exit();

Or if your only concert are fake submits try a captcha.

Also you can validate the fields using Javascript BEFORE they're send via AJAX.

edited May 06 '22 at 06:38

CactiProgrammer

63
7

answered May 06 '22 at 00:25

kissumisha

484
4
12

how would I make this into a cookie? would I use echo – CactiProgrammer May 06 '22 at 01:25
To set browser cookies you use setcookie() https://www.php.net/manual/en/function.setcookie.php Then the cookie will be available on $_COOKIE['name_of_cookie']. I would use $_SESSION for this purpose anyway, you can find differences and reasons here: https://stackoverflow.com/questions/6253633/cookies-vs-sessions – kissumisha May 06 '22 at 23:48
Thanks! When I use the same code as you and I add the if sentence in send.php the process just dies. The token gets sent to the backend (according to DevTools). How can I fix this? – CactiProgrammer May 07 '22 at 15:45
Can you post here the the code for send.php so I can have a quick look. – kissumisha May 07 '22 at 16:23
I meant the whole thing, to see how you are processing the token, etc. – kissumisha May 08 '22 at 02:17
$_SESSION['token'] = md5(uniqid(mt_rand(), true)); $fp = fopen('chatlog.html', 'a'); fwrite($fp,$message); @kissumisha – CactiProgrammer May 08 '22 at 05:35
I found the problem. Only the POST request variable gets set but the other one doesn't – CactiProgrammer May 11 '22 at 02:54
What do you mean with "the other one"? Do you mean the SESSION is not being started? – kissumisha May 12 '22 at 21:28
My session is started. But I can not access it in the send.php – CactiProgrammer May 14 '22 at 02:31
But I can access the $_SESSION in index.php – CactiProgrammer May 14 '22 at 05:21
Probably sounds like obvious, but did you start the session also in send.php so the SESSION variables can be accessed? – kissumisha May 15 '22 at 11:57
I started the session in index.php – CactiProgrammer May 15 '22 at 16:33
In order to access the SESSION variables from another script, you will need to start the session there too. So add session_start() to send.php and you will be able to use the $_SESSION that are stored. – kissumisha May 15 '22 at 21:07

Stopping a submit when a request fake request is sent to the backend

1 Answers1