Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
For 2023 (and 2024 ...) - we are now fully retired from IT training.
We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk.

Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active!

I am also active in many other area and still look after a lot of web sites - you can find an index ((here))
How to stop forms on other sites submitting to your scripts

From time to time, many of us web site authors and maintainers put a form on our site which submits data to another site. It might be something as simple as a Google seach box or a webmail login page.

If you're developing a page / form which you do not want to be filled in remotely in this way, you can add a hidden field to your form and check that this field really exists, and has the correct value, when you process the page's data. Unfortunately, this hdden field isn't hidden from the knowledgable user who's familiar with viewing the source of a web page, so this technique alone wont't stop the determined hacker. And such a hack, where it's unwelcome, is known as a Cross Site Request Forgery (CSRF) attack.

How can you prevent CSRF attacks? Rather than using a fixed hidden field in your form, you can prime your form with an upredicatble, and probably unique, hidden field value. Then you check each form that's submitted to your web site to check that it has the correct hidden field value.

Here's the various elements of the code (in PHP - in the order they are run!)

1. Create a unique ID and add it onto the end of a file of active IDs

  $uid = uniqid("xz");
  $fh = fopen("../keys.txt","a");
  fputs($fh,"$uid\n");
  fclose($fh);


2. Include a unique ID within a hidden field on the form

  <input type=hidden name=bov value=' . $uid . '>

3. When the form is submitted, check that the hidden field is one of the allowed vales in the file (we have done this in two stages):

  if (preg_match('/^xz/',$_POST[bov])) {
  $mykeys = file("../keys.txt");
  $psn = array_search($_POST[bov] . "\n",$mykeys) ;
  if ($psn !== FALSE ) {


4. And if the key is one of the ones that's allowed, remove it from the list (to avoid people setting up a form with a constant value because it worked once!), reduce the list to 40 elements (this is bookkeeping to avoid the valid ID file growing for ever), rewrite the reduced valid keys file, and perform the action required.

  array_splice($mykeys,$psn,1);
  array_splice($mykeys,0,count($mykeys)-40);
  $fh = fopen("../keys.txt","w");
  fputs($fh,implode("",$mykeys));
  fclose($fh);
  # Action on data here


The sample code above has been added to our Melksham diary submission form in order to prevent double submissions (using back and submit buttons) and to prevent people putting submit form on to their own site. It's really pretty unlikely that a form such as this would be worth duplicating elsewhere for manual entry, but we're also preventing automata that find it and automatically keep filling it in from getting through.

Cross Site Request Forgery Protection isn't just needed on a few sites - it's pretty universal. And so many frameworks have it built in. There's a Python / Django module, for example, described [here]. And further reading is available [here] and [here].
(written 2012-04-15, updated 2012-04-21)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
Y306 - Python - The Django web framework
  [1745] Moodle, Drupal, Django (and Rails) - (2008-08-08)
  [3136] A framework with python - Django - first steps - (2011-01-17)
  [3138] Django - adding your own views, and then templating your views. - (2011-01-18)
  [3139] Steering our Python courses towards wxPython, SQLite and Django - (2011-01-19)
  [3140] Django - separating the HTML from the view / model - (2011-01-20)
  [3624] Why do we need a Model, View, Controller architecture? - (2012-02-25)
  [3633] Nesting Templates in Django - (2012-03-02)
  [3634] Defining database relations in your Django model - (2012-03-02)
  [3639] Demonstration of a form using Django - (2012-03-04)
  [3640] Sessions (Shopping Carts) in Django - the Python Web Framework - (2012-03-05)
  [3705] Django Training Courses - UK - (2012-04-23)
  [3919] What is a web framework? - (2012-11-10)
  [4013] Web Frameworks - nested templates - (2013-02-22)
  [4095] Django - first steps - Updated - (2013-05-19)

H303 - PHP - Long and short term cookies and security
  [1646] Using cookies and sessions to connect different URLs - PHP - (2008-05-18)
  [1911] Remember Me - PHP - (2008-11-28)
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)

H117 - Security in PHP
  [345] Spotting a denial of service attack - (2005-06-12)
  [426] Robust checking of data entered by users - (2005-08-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [947] What is an SQL injection attack? - (2006-11-27)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1747] Who is watching you? - (2008-08-10)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)


Back to
Events in Melksham - read all about them, and tell us about yours
Previous and next
or
Horse's mouth home
Forward to
Bristol 50? Bristol 25?
Some other Articles
Digital Champions think that Well House Manor is a champion venue!
Refresh and Revision training class days - Perl / PHP / Python / Lua / Ruby / Tcl / C / C++
Why do people use chains rather than independent traders?
Bristol 50? Bristol 25?
How to stop forms on other sites submitting to your scripts
Events in Melksham - read all about them, and tell us about yours
Melksham government and business organisations
Functions are first class variables in Lua and Python
Special __ methods you can use in Lua metatables
Wiltshire Business Support Service
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2024: 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/3698_How ... ripts.html • PAGE BUILT: Sun Oct 11 16:07:41 2020 • BUILD SYSTEM: JelliaJamb