Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 153
  • Last Modified:

How can I secure a form processor file?

Simple question that I hope has a simple answer. I'm using PHP 5+ and Apache 1.3+

mydomain.com/form.php submits to mydomain.com/directory/processor.php and redirects to mydomain.com/confirm.php

How can I secure mydomain.com/directory/processor.php so that it only takes variables from mydomain.com/form.php  and still redirects to mydomain.com/confirm.php

I tried restricting '/directory/' with a password but then the form.php wouldn't hit it and redirect.
I also tried putting processor.php in a directory above the public folder but that didn't work either.

Thanks for the help
0
sportsbro
Asked:
sportsbro
2 Solutions
 
NopiusCommented:
> How can I secure mydomain.com/directory/processor.php so that it only takes variables from mydomain.com/form.php  and still redirects to mydomain.com/confirm.php

I see at least two ways to do what you want.
First is easy, but not 100% secure (but it safer then current implementation);
second is secure, but not easy :-)

1) First method doesn't require any PHP programming, it's based on checking Referrer: header in .htaccess
Just create .htaccess in mydomain.com/directory/ like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !=http://mydomain.com/form.php
RewriteRule ^processor\.php$ - [F]

Need to check, not tested.

2) Second method is to use some shared storage (like SQL data base) to associate user with the request, then setup this association (add to SQL) in form.php and also add some extra hidden variable to transfer to processor.php. Then processor.php should check this variable against SQL and if not found, reject the request. Since current request should have short lifetime of such 'association' you should care of cleaning such entries from SQL.
0
 
RoonaanCommented:
Option 1) would be buggy, as a lot of people have http_referers turned of, and therefor can't use your form.
Option 2) sounds like a plan, but I think you could as well just use php's standard session.
 Use session_start() in both pages, then add $_SESSION['formVisited'] = true on the form page and if(!isset($_SESSION['formVisited'])) { /* illegal access */} .

The session imlpementation can get as complex as you want it of course.

-r-
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now