InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Protecting Against Form Spoofing in PHP
PHP

Protecting Against Form Spoofing in PHP

InfinityCoder December 20, 2016

You want to be sure that a form submission is valid and intentional.

Add a hidden form field with a one-time token, and store this token in the user’s session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
 
session_start();
 
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
 
?>
 
<form action="buy.php" method="POST">
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
<p>Stock Symbol: <input type="text" name="symbol" /></p>
<p>Quantity: <input type="text" name="quantity" /></p>
<p><input type="submit" value="Buy Stocks" /></p>
</form>

When you receive a request that represents a form submission, check the tokens to be sure they match:

1
2
3
4
5
6
7
8
9
session_start();
 
if ((! isset($_SESSION['token'])) ||
    ($_POST['token'] != $_SESSION['token'])) {
 
    /* Prompt user for password. */
} else {
    /* Continue. */
}

This technique protects against a group of attacks known as cross-site request forgeries (CSRF). These attacks all cause a victim to send requests to a target site without the victim’s knowledge.

Typically, the victim has an established level of privilege with the target site, so these attacks allow an attacker to perform actions that the attacker cannot otherwise perform.

For example, imagine Alice is logged in via cookies to a social networking website, then visits another website.

That second website could display a form to Alice that looks harmless, but really submits itself to a URL on that social networking website.

Because Alice’s browser would send login cookies along with the form submission, the social networking website wouldn’t be able to distinguish this malicious form submission from a good one without CSRF protection.
Adding a token to your forms in this way does not prevent a user from forging his own request from himself, but this is not something you can prevent, nor is it something to be concerned with.

If you filter input as discussed in Recipe 18.3, you force requests to abide by your rules.

The technique shown in this recipe helps to make sure the request is intentional.

 

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Validating a Date in PHP
You want to check if a date is valid. For …

Validating a Date in PHP

Indicating Errors and Failures in PHP
You want to indicate that a failure occurred. Return a …

Indicating Errors and Failures in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap