Since it is possible to preform a cross domain php post, I believe this means someone who obtained access to my source code could create their own domain and post any values. Is there a way to disable cross domain posting or do I need to check all of the values in a post to ensure they are valid?
Asked
Active
Viewed 300 times
1
-
You should always check user inputs, it has nothing to do with being cross-domain. POST requests don't even have to come from a web page, they can be made with `curl`. – Barmar Jan 30 '14 at 17:54
-
1Users are the most evil, insane thing on the web. Fortify your code as much as you can. – Mave Jan 30 '14 at 17:56
-
That should be phrased as "**Never** trust user input" ;-) – Funk Forty Niner Jan 30 '14 at 18:06
-
Sounds like [CSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery)? – Marcus Adams Jan 30 '14 at 20:15
2 Answers
2
It has nothing to do with another domain; ANY client anywhere can post any values your server will accept. This is why one of the primary rules of the web is never trust user-supplied data: always check it on the server side. \
Here is some worthy reading on the subject:
Community
- 1
- 1
Digital Chris
- 6,098
- 1
- 16
- 28
1
You better create a random hash like : md5(time().rand(1000,9999)) and,
- Put it in a hidden input value
like:
<input name='token' type='hidden' value='<?php echo $hash ?>' /> - And set
$_SESSION['token'] = $hash;
And, every time that you process the form, check it like :
if($_SESSION['token'] !== $_POST['token']) die('invalid request');
This way, only users that submit the form from your domain will succeed submitting.
Alireza Fallah
- 4,411
- 3
- 27
- 55
-
While this might make it more difficult to script mass spam-submits, it doesn't stop me from accepting data on my remote server (or generating it) and then cURL requesting your form, accepting cookies, and feeding you your token back to you with my data. – Digital Chris Jan 30 '14 at 18:12