Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
How to stop forms on other sites submitting to your scripts

From time to time, many of us web site authors and maintainers put a form on our site which submits data to another site. It might be something as simple as a Google seach box or a webmail login page.

If you're developing a page / form which you do not want to be filled in remotely in this way, you can add a hidden field to your form and check that this field really exists, and has the correct value, when you process the page's data. Unfortunately, this hdden field isn't hidden from the knowledgable user who's familiar with viewing the source of a web page, so this technique alone wont't stop the determined hacker. And such a hack, where it's unwelcome, is known as a Cross Site Request Forgery (CSRF) attack.

How can you prevent CSRF attacks? Rather than using a fixed hidden field in your form, you can prime your form with an upredicatble, and probably unique, hidden field value. Then you check each form that's submitted to your web site to check that it has the correct hidden field value.

Here's the various elements of the code (in PHP - in the order they are run!)

1. Create a unique ID and add it onto the end of a file of active IDs

  $uid = uniqid("xz");
  $fh = fopen("../keys.txt","a");
  fputs($fh,"$uid\n");
  fclose($fh);


2. Include a unique ID within a hidden field on the form

  <input type=hidden name=bov value=' . $uid . '>

3. When the form is submitted, check that the hidden field is one of the allowed vales in the file (we have done this in two stages):

  if (preg_match('/^xz/',$_POST[bov])) {
  $mykeys = file("../keys.txt");
  $psn = array_search($_POST[bov] . "\n",$mykeys) ;
  if ($psn !== FALSE ) {


4. And if the key is one of the ones that's allowed, remove it from the list (to avoid people setting up a form with a constant value because it worked once!), reduce the list to 40 elements (this is bookkeeping to avoid the valid ID file growing for ever), rewrite the reduced valid keys file, and perform the action required.

  array_splice($mykeys,$psn,1);
  array_splice($mykeys,0,count($mykeys)-40);
  $fh = fopen("../keys.txt","w");
  fputs($fh,implode("",$mykeys));
  fclose($fh);
  # Action on data here


The sample code above has been added to our Melksham diary submission form in order to prevent double submissions (using back and submit buttons) and to prevent people putting submit form on to their own site. It's really pretty unlikely that a form such as this would be worth duplicating elsewhere for manual entry, but we're also preventing automata that find it and automatically keep filling it in from getting through.

Cross Site Request Forgery Protection isn't just needed on a few sites - it's pretty universal. And so many frameworks have it built in. There's a Python / Django module, for example, described [here]. And further reading is available [here] and [here].
(written 2012-04-15, updated 2012-04-21)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

H303 - PHP - Long and short term cookies and security
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
  [1911] Remember Me - PHP - (2008-11-28)
  [1646] Using cookies and sessions to connect different URLs - PHP - (2008-05-18)

Y306 - Python - The Django web framework
  [4095] Django - first steps - Updated - (2013-05-19)
  [4013] Web Frameworks - nested templates - (2013-02-22)
  [3919] What is a web framework? - (2012-11-10)
  [3705] Django Training Courses - UK - (2012-04-23)
  [3640] Sessions (Shopping Carts) in Django - the Python Web Framework - (2012-03-05)
  [3639] Demonstration of a form using Django - (2012-03-04)
  [3634] Defining database relations in your Django model - (2012-03-02)
  [3633] Nesting Templates in Django - (2012-03-02)
  [3624] Why do we need a Model, View, Controller architecture? - (2012-02-25)
  [3140] Django - separating the HTML from the view / model - (2011-01-20)
  [3139] Steering our Python courses towards wxPython, SQLite and Django - (2011-01-19)
  [3138] Django - adding your own views, and then templating your views. - (2011-01-18)
  [3136] A framework with python - Django - first steps - (2011-01-17)
  [1745] Moodle, Drupal, Django (and Rails) - (2008-08-08)


Back to
Events in Melksham - read all about them, and tell us about yours
Previous and next
or
Horse's mouth home
Forward to
Bristol 50? Bristol 25?
Some other Articles
Digital Champions think that Well House Manor is a champion venue!
Refresh and Revision training class days - Perl / PHP / Python / Lua / Ruby / Tcl / C / C++
Why do people use chains rather than independent traders?
Bristol 50? Bristol 25?
How to stop forms on other sites submitting to your scripts
Events in Melksham - read all about them, and tell us about yours
Melksham government and business organisations
Functions are first class variables in Lua and Python
Special __ methods you can use in Lua metatables
Wiltshire Business Support Service
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/3698_How ... ripts.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat