SYSTEM SECURITY EMERGENCY!!!

[jami045]

Hello my php'ers I have a problem with the security of a system I am trying to develop, and it is the following: I have no idea of how to authenticate who is sending the POST vars to my script, and I am worried someone could "Save As" the introduction form and introduce unwanted info in my system. does anyone have ideas about how to authenticate the sending form or URL? I need this urgently so I will be gratefull to anyone that answers my question...

in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????

I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.

some ideas of how to secure my script?

[liquedus]

maybe use sessions to verify that someone has a valid session from your site, otherwise reject the info

or maybe check HTTP_REFERRER

just a thought.

[jami045]

THANK YOU!!, I made this code out and it works, I verify if the request method is POST, and if my host is in the HTTP_REFERER... I hope this helps people that had the same question as I did. :lol:

Code: Select all

<?php
if ($_SERVER['REQUEST_METHOD']=="POST"){
   if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])){
         die(""); //or maybe EXIT;
    }
}
?>

[mike]

I will also suggest HTTP_REFERER... its simple and great :wink: