Only Allow My Server to Post Data From a PHP Form

Posted on 2014-08-27
Medium Priority
Last Modified: 2014-08-27
Been searching online for an answer and can't find anything.  Let's say I have a simple PHP form.  It uses session variables so it knows the user's username.  Is there a way to prevent a user from logging in, then opening another tab in their browser and using a copy of that form located on their server and submitting the values to my form that processes the values?  I know I can check the header, but that can be faked.  Same thing with the IP address.  I just want to be able to know with certainty that when a form is submitted, it came from a user using my form on my server.  My actual need is a little more complicated than this, but the general premise is the same, so I tried to make it as simple as possible.  Thanks.
Question by:Jason92s

Expert Comment

by:Trenton Knew
ID: 40289151
can you have your form look for a file stored in a private directory prior to submission?  I would imagine you could have this file in a folder inaccessible to the outside world, but browseable by the script using a relative path?  If file not exist, then form doesn't work.  I can't give more specifics than this with my limited knowledge, unfortunately, but maybe this sets you on the right path.
LVL 84

Accepted Solution

Dave Baldwin earned 2000 total points
ID: 40289168
It's true that the 'HTTP_REFERER' can be faked but it is not nearly so easy to fake the IP address.  The IP address is part of the actual connection in the network and not something sent along by the source.  And... the 'REMOTE_ADDR' is going to be the client's IP address.  And since your server's IP address should always be the same it doesn't make any sense to check that.  I always check the 'HTTP_REFERER' too because spammers are generally too lazy to fake it.

On the other hand... if it is the same form with the same values... what difference does it make?  They are already on your site if they can copy the form page.  If they are not on your site then the session id is not going to match and the $_SESSION data isn't going to be there either.

I check up to 6 different things on a POST page.  I usually track the 'REMOTE_ADDR' so I can see if the posts are coming from the same place, I check the 'HTTP_REFERER' which should be the HTML form page where the data was entered, I check the $_SESSION data where appropriate, and I find various ways of including details in the form post that I can check.
LVL 111

Expert Comment

by:Ray Paseur
ID: 40289196
Use a CAPTCHA test.

But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 40289200
Thanks All.  It would take all day to explain why I'm really asking, but this definitely points me in the right direction and will solve my issue.
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40289229
You're welcome, glad to help.  Basically, the more different things you can check, the more you can 'secure' your form.  Most people who try to break in are generally lazy, they don't want to work any harder than they have to.  

One thing that is useless is 'hidden' input fields.  Those will be collected the first time someone scans your form page.

One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption.  People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.

Author Comment

ID: 40289233
Excellent points Dave, thanks again for all your help on this. It's very much appreciated.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question