dcsimg
www.webdeveloper.com
Results 1 to 6 of 6

Thread: PHP _POST processing from different servers

  1. #1
    Join Date
    Oct 2013
    Posts
    7

    PHP _POST processing from different servers

    I was wondering if it is possible for other servers to send POST to my server?

    For example lets say I have a page that requires certain POST parameters be set so that they can see the page. Is it possible for someone to write a simple script on their own site that sends these POST parameters to my site? Such as a transaction page that uses a $_POST['item'] and displays details on it.

    If so, isn't this a huge security breach? How can I prevent this?

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,616
    Sure it's possible. I do it for legitimate reasons all the time using PHP's cURL functions. It's only a huge security breach if you allow non-logged-in users to perform actions that would be potentially detrimental, or you don't use sufficiently strong log-in techniques to prevent unauthorized access.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Oct 2013
    Posts
    7
    So I could use a session to prevent this?

    What if I don't allow anyone to access the script that processes the _POST form without _SESSION['logggedin'], they won't be able to? Will they be able to make their own _POST script and go to that page if they were also logged in to my site with that session?

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,616
    Quote Originally Posted by ValNZ View Post
    So I could use a session to prevent this?

    What if I don't allow anyone to access the script that processes the _POST form without _SESSION['logggedin'], they won't be able to?
    Yes, that would be a typical approach.

    Will they be able to make their own _POST script and go to that page if they were also logged in to my site with that session?
    Yes, they could. They could even write a cURL script to go to the login page, enter their login credentials, and save the resulting session ID cookie, which they would then send with their POST request so that they have a valid session. If they are smart enough and find it worthwhile enough to do so, you'll likely never be able to tell whether it's from a "live" source or a script. If it's really a problem for you, then you could try adding a "captcha" field to the form. Even that is somewhat vulnerable if they really, really want to do this. (E.g.: their script could grab the captcha image, send it to some sweat shop in a 3rd world country where some poor soul sits there waiting to type in a response, which the script then uses to submit its request to your site.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Oct 2013
    Posts
    7
    So there's no way to stop this except using a captcha?

    Would having a session that say stores the last page the user was on stop this?

    eg on the form page set _SESSION['lastpage'] to the page, and on the resulting form submit page if that 'lastpage' session is not the form page, then redirect them?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,616
    In which case they could add a step to their script to go to that page first, then call the form processing page. This assumes, of course, that they are clever enough and/or persistent enough to guess that this is a required step. Also, in addition to cURL, there are probably browser-based tools that could do all of this, too (such as those designed for automated web testing -- though they'd have the same problems dealing with captcha images.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles