Solved

PHP Submission

Posted on 2014-09-22
23
98 Views
Last Modified: 2014-10-09
Hi Experts,

Is it possible when a form is submitted to a PHP page, that PHP page to check the absolute path of the form page?

In other words, I have just noticed some invalid data I have been validating with JavaScript, and found out that someone has view source, saved it on the local machine, tampered with the JavaScript and adjusted the form action to the PHP's absolute URL.

So, if I can verify the absolute URL of the page being submitted (without using hidden fields, of course), then I can avoid this.

Thanks,
0
Comment
Question by:APD_Toronto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
  • 5
  • +2
23 Comments
 
LVL 15

Accepted Solution

by:
Insoftservice earned 167 total points
ID: 40336934
Please show your code if possible.
I would suggest you to validate it via both using JavaScript and using php.

As Php Validation will simply resolve your issue.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 167 total points
ID: 40336998
You mean check where the page has come from?
You can check the referrer but totally unreliable.
On the form page set session (e.g. $_SESSSION['form-visited'] )and on the page that the form submits to check this session exists e.g.
if(isset($_SESSSION['form-visited'])){

Nothing is completely 100% foolproof but this is about as good as it gets.
0
 

Author Comment

by:APD_Toronto
ID: 40337024
So, you're saying using a PHP session variable, that way no one can change this...?
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 58

Expert Comment

by:Gary
ID: 40337038
Yep, it's only stored at the server and as long as you are not echoing it out to the browser it cannot be known by the user.
0
 

Author Comment

by:APD_Toronto
ID: 40337055
What if ...

1- The HTML and JavaScript is downloaded on a local machine

2- User goes to the real form on the server, the server creates the session variable

3- User changes URL of same window to point to the local version of their machine, with the adjusted code.

4- User clicks Submit from their local machine that goes to the PHP page on the server. Wouldn't the PHP page pickup the session variable from step 2?
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 166 total points
ID: 40337077
That method won't work.  Sessions normally set a cookie to identify that browser/computer.  The way browsers handle cookies is that the session_id will only be sent if the page is from the original source.  A page on 'localhost' will not send a session_id for a page from the server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40337081
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

No one system is going to be 100% foolproof but session is pretty reliable as it only exists while on your site.
0
 

Author Comment

by:APD_Toronto
ID: 40339672
To test, I just wrote the following 2 pages.

How come on test2.php $currSess always returns '' (empty string)? I realize that in test.php I'm running session_start(), but shouldn't that be carried over to all pages thereafter until session_end() is executes?

//test.php:

<?php
    session_start();
    $_SESSION['sess'] = session_id();
?>

<form method="post" action="test2.php">
    
    <input type="text" name="txtSess" value="<?php echo $_SESSION['sess']; ?>">
    
    <input type="submit">
    
</form>

//test2.php:

<?php
    
    $currSess = session_id();
    $reqSess = $_REQUEST['txtSess'];
    
    echo 'curr = ' . $currSess . ' <br> '
        . 'req = ' . $reqSess . ' <br><br>';
    
    if ($currSess == $reqSess) 
    {
        echo 'session is VALID';
    }
 else 
    {
        echo 'session is not VALID';
    }

?>

Open in new window

0
 
LVL 58

Expert Comment

by:Gary
ID: 40339685
session_start() is needed on all pages where you are using sessions and before the code
0
 

Author Comment

by:APD_Toronto
ID: 40339742
but wouldn't that keep generating new sessions?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40339765
No, session are per user per visit (unless the session times out which isn't a worry for you anyway)

http://php.net/manual/en/function.session-start.php
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40339771
No, session_start() checks to see if a valid session exists already.  If it does, then it continues the current session and you can access any $_SESSION variables you have set.  It only starts a new session if it does not find an existing one.  This is probably one of the most common misunderstandings about PHP sessions.
0
 

Author Comment

by:APD_Toronto
ID: 40339832
Using the code above, with session_start() in test2.php, I was able to bypass the code using the scenario within ID: 40337055 above.

So, I'll look at the ASP Code in my other post, with the assumption that there's something equivalent in PHP. Otherwise, I'm open to other suggestions.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40339869
" bypass the code"?  What does that mean?  Is that what you want or not?
0
 

Author Comment

by:APD_Toronto
ID: 40339897
If you refer to my original post, I noticed my JavaScript is being bypassed.  I need to prevent this.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40339900
That can't happen because the session cookie is only stored at the original url, if you post from another site (or even locally thru localhost) then there is no session cookie.
0
 

Author Comment

by:APD_Toronto
ID: 40339914
When I went through my 4-step procedure above, using the code, I got "session is VALID"
0
 
LVL 58

Expert Comment

by:Gary
ID: 40339977
No you're right (put my logic head on - what was that tv program where he used to change his head...)
Like we are all saying there is no 100% foolproof way - you can implement all the different things to check like referer and sessions but it won't deter the hardened hacker and that is why you need to cleanse any data sent through a form.
0
 

Author Comment

by:APD_Toronto
ID: 40339988
Is there a php equivalent to HTTP_REFERRER and Remote IP
0
 
LVL 58

Expert Comment

by:Gary
ID: 40339997
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40340139
You can not prevent your javascript from being bypassed.  You can Not.  Spammers and hackers scan websites every day looking for vulnerable forms and post directly to the action pages which bypasses everything on the form page.

Javascript checking and validation on the form page should be there to help the user fill out the form correctly.  PHP checking is to prevent the spammers and hackers from posting nonsense or breaking into your site and databases.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40340235
Here are a pair of simple PHP pages that use the things we've talked about.  Adjust the URLs and file names to suit your situation.
PHPsess01.php
<?php 
error_reporting(E_ALL);
ini_set('display_errors','1');

// Create a unique session ID to use with this page
session_start(); 

$domain = $_SERVER['REMOTE_ADDR'];

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>PHP Sessions check</title>
</head>
<body>
<h1>PHP Sessions check</h1>
<form action="PHPsess02.php" method="post">
<input type="text" name="innie1" value="innie1" />&nbsp;
<input type="text" name="outie2" value="outie2" />&nbsp;
<input type="submit" value="Submit" />
</form>

</body>
</html>

Open in new window

PHPsess02.php
<?php 
error_reporting(E_ALL);
ini_set('display_errors','1');

// check referrer, if no referrer, exit because it is a direct post
// Note that the refferrer URL is a complete absolute URL like http://www.yoursite.com/yourpage.php
// That's why I'm splitting it up to check it.  It could also be 'https://'.
if(isset($_SERVER['HTTP_REFERER'])) {
	$refchk = $_SERVER['HTTP_REFERER'];
	$refchka = explode("//",$refchk);
	if($refchka[1] != "10.202.46.40/ee2/PHPsessions/PHPsess01.php") exit;
	}
//else exit without creating a session;

// Create a unique session ID to use with this page
session_start(); 
$sessid = session_id();

$domain = $_SERVER['REMOTE_ADDR'];

if (!isset($_POST['innie1']))  $innie1 = ''; else $innie1 = $_POST['innie1'];
if (!isset($_POST['outie2']))  $outie2 = ''; else $outie2 = $_POST['outie2'];

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>PHP Sessions check</title>
</head>
<body>
<h1>PHP Sessions check</h1>
<p>Remote server IP address is: <?php echo $domain ?></p>
<form action="PHPsess02.php" method="post">
<input type="text" name="innie1" value="<?php echo strtoupper ($innie1) ?>" />&nbsp;
<input type="text" name="outie2" value="<?php echo strtoupper ($outie2) ?>" />&nbsp;
<input type="submit" value="Submit" />
</form>

</body>
</html>

Open in new window

0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40354451
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question