Only Allow My Server to Post Data From a PHP Form

Posted on 2014-08-27
Last Modified: 2014-08-27
Been searching online for an answer and can't find anything.  Let's say I have a simple PHP form.  It uses session variables so it knows the user's username.  Is there a way to prevent a user from logging in, then opening another tab in their browser and using a copy of that form located on their server and submitting the values to my form that processes the values?  I know I can check the header, but that can be faked.  Same thing with the IP address.  I just want to be able to know with certainty that when a form is submitted, it came from a user using my form on my server.  My actual need is a little more complicated than this, but the general premise is the same, so I tried to make it as simple as possible.  Thanks.
Question by:Jason92s
    LVL 9

    Expert Comment

    by:Trenton Knew
    can you have your form look for a file stored in a private directory prior to submission?  I would imagine you could have this file in a folder inaccessible to the outside world, but browseable by the script using a relative path?  If file not exist, then form doesn't work.  I can't give more specifics than this with my limited knowledge, unfortunately, but maybe this sets you on the right path.
    LVL 82

    Accepted Solution

    It's true that the 'HTTP_REFERER' can be faked but it is not nearly so easy to fake the IP address.  The IP address is part of the actual connection in the network and not something sent along by the source.  And... the 'REMOTE_ADDR' is going to be the client's IP address.  And since your server's IP address should always be the same it doesn't make any sense to check that.  I always check the 'HTTP_REFERER' too because spammers are generally too lazy to fake it.

    On the other hand... if it is the same form with the same values... what difference does it make?  They are already on your site if they can copy the form page.  If they are not on your site then the session id is not going to match and the $_SESSION data isn't going to be there either.

    I check up to 6 different things on a POST page.  I usually track the 'REMOTE_ADDR' so I can see if the posts are coming from the same place, I check the 'HTTP_REFERER' which should be the HTML form page where the data was entered, I check the $_SESSION data where appropriate, and I find various ways of including details in the form post that I can check.
    LVL 107

    Expert Comment

    by:Ray Paseur
    Use a CAPTCHA test.

    But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"

    Author Comment

    Thanks All.  It would take all day to explain why I'm really asking, but this definitely points me in the right direction and will solve my issue.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    You're welcome, glad to help.  Basically, the more different things you can check, the more you can 'secure' your form.  Most people who try to break in are generally lazy, they don't want to work any harder than they have to.  

    One thing that is useless is 'hidden' input fields.  Those will be collected the first time someone scans your form page.

    One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption.  People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.

    Author Comment

    Excellent points Dave, thanks again for all your help on this. It's very much appreciated.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Accessibility and Usability are two concepts that seem to be closely related.  But, too many people seem to have a distorted perception of them. During last five years, those two words have come to the day-to-day work of almost every web develope…
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now