Question Regarding Form Security

**Jerry Stuckle** · Jul 31 '06, 08:15 PM

Re: Question Regarding Form Security

Katash wrote:

***newbie_reque st***
>
I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form
>
I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions
>
My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?
>
Perhaps I'm approaching this from the wrong angle - Am I?
>
>
TIA
>
Dave
>
>

Not reliably. But rather, you should be validating the data server-side
just before inserting it into the database.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**mootmail-googlegroups@yahoo.com** · Jul 31 '06, 08:15 PM

Re: Question Regarding Form Security

Katash wrote:

I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form
>
I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions
>
My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?
>
Perhaps I'm approaching this from the wrong angle - Am I?
>

Before performing the insert, you could check $_SERVER['HTTP_REFERER']
to see if it matches where you expect the user to come from.
See: http://us3.php.net/manual/en/reserved.variables.php

The problem with that, as the PHP manual states, is that not all
clients provide this information, and if they do, it can't always be
trusted. So as you asked, you may be approaching from the wrong angle
here.

The bottom line in web security is DON'T TRUST ANYTHING. You may have
already done validation on the form, but if you're sending it somewhere
else, then check it again when it gets there.

**Miguel Cruz** · Jul 31 '06, 08:55 PM

Re: Question Regarding Form Security

mootmail-googlegroups@ya hoo.com wrote:

Katash wrote:

>I have a simple program that inserts user details into a MySQL
>database - The form validation is dealt with by another program that
>contains the html form
>>
>I would like to ensure no-one can create a separate form and post to
>my input program thereby bypassing my validation functions
>>
>My question is :- Is there a way I check that the $_POST vars have
>come from a php file on the webserver and halt the sql input with a
>security warning if they're coming from a different source?
>>
>Perhaps I'm approaching this from the wrong angle - Am I?

>
Before performing the insert, you could check $_SERVER['HTTP_REFERER']
to see if it matches where you expect the user to come from.

Please don't do this. HTTP_REFERER is useless for affirming anything.
You can only use it in the negative, and even then you should not trust
it if you'd face adverse consequences for false negatives.

Katash - How about passing a randomly-generated token in a hidden
variable on the form and ensuring it comes back intact? Or using
sessions?

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu

**RDizzle** · Jul 31 '06, 09:15 PM

Re: Question Regarding Form Security

Perhaps I'm approaching this from the wrong angle - Am I?

YES, if what i'm inferring about your scripts is that the validation
and insert scripts are separate.

Your validation and insert/update MySQL scripts should be one and the
same.

That way it doesn't matter where the post or get information comes
from, your server script will always validate the data before inserting
or updating to mysql.

Also if you're asking this question because you are trying to defeat
bots or other auto form filler-ourters think about adding a
captcha/challenge response to your form.

**Ivan Marsh** · Jul 31 '06, 09:55 PM

Re: Question Regarding Form Security

On Mon, 31 Jul 2006 20:03:02 +0000, Katash wrote:

***newbie_reque st***
>
I have a simple program that inserts user details into a MySQL database
- The form validation is dealt with by another program that contains the
html form
>
I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions
>
My question is :- Is there a way I check that the $_POST vars have come
from a php file on the webserver and halt the sql input with a security
warning if they're coming from a different source?
>
Perhaps I'm approaching this from the wrong angle - Am I?

How would a form from another source have access to your database server?

--
The USA Patriot Act is the most unpatriotic act in American history.
Feingold-Obama '08 - Because the Constitution isn't history,
It's the law.

**dawnerd** · Aug 1 '06, 04:25 AM

Re: Question Regarding Form Security

Katash wrote:

***newbie_reque st***
>
I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form
>
I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions
>
My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?
>
Perhaps I'm approaching this from the wrong angle - Am I?
>
>
TIA
>
Dave

before you put anything into a database in which a user types or can
edit in anyway, such as any get or post variables, run them through
mysql_escape_st ring or mysql_real_esca pe_string at least.

Question Regarding Form Security

Question Regarding Form Security

Comment

Comment

Comment

Comment

Comment

Comment