Question Regarding Form Security

Katash wrote:

***newbie_request***

I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form

I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions

My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?

Perhaps I'm approaching this from the wrong angle - Am I?
TIA

Dave

Not reliably. But rather, you should be validating the data server-side
just before inserting it into the database.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Katash wrote:

I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form

I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions

My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?

Perhaps I'm approaching this from the wrong angle - Am I?

Before performing the insert, you could check $_SERVER['HTTP_REFERER']
to see if it matches where you expect the user to come from.
See: http://us3.php.net/manual/en/reserved.variables.php

The problem with that, as the PHP manual states, is that not all
clients provide this information, and if they do, it can't always be
trusted. So as you asked, you may be approaching from the wrong angle
here.

The bottom line in web security is DON'T TRUST ANYTHING. You may have
already done validation on the form, but if you're sending it somewhere
else, then check it again when it gets there.

mo*******************@yahoo.com wrote:

Katash wrote:

>I have a simple program that inserts user details into a MySQL
database - The form validation is dealt with by another program that
contains the html form

I would like to ensure no-one can create a separate form and post to
my input program thereby bypassing my validation functions

My question is :- Is there a way I check that the $_POST vars have
come from a php file on the webserver and halt the sql input with a
security warning if they're coming from a different source?

Perhaps I'm approaching this from the wrong angle - Am I?

Before performing the insert, you could check $_SERVER['HTTP_REFERER']
to see if it matches where you expect the user to come from.

Please don't do this. HTTP_REFERER is useless for affirming anything.
You can only use it in the negative, and even then you should not trust
it if you'd face adverse consequences for false negatives.

Katash - How about passing a randomly-generated token in a hidden
variable on the form and ensuring it comes back intact? Or using
sessions?

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu

Perhaps I'm approaching this from the wrong angle - Am I?

YES, if what i'm inferring about your scripts is that the validation
and insert scripts are separate.

Your validation and insert/update MySQL scripts should be one and the
same.

That way it doesn't matter where the post or get information comes
from, your server script will always validate the data before inserting
or updating to mysql.

Also if you're asking this question because you are trying to defeat
bots or other auto form filler-ourters think about adding a
captcha/challenge response to your form.

On Mon, 31 Jul 2006 20:03:02 +0000, Katash wrote:

***newbie_request***

I have a simple program that inserts user details into a MySQL database
- The form validation is dealt with by another program that contains the
html form

I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions

My question is :- Is there a way I check that the $_POST vars have come
from a php file on the webserver and halt the sql input with a security
warning if they're coming from a different source?

Perhaps I'm approaching this from the wrong angle - Am I?

How would a form from another source have access to your database server?

--
The USA Patriot Act is the most unpatriotic act in American history.
Feingold-Obama '08 - Because the Constitution isn't history,
It's the law.

Katash wrote:

***newbie_request***

I have a simple program that inserts user details into a MySQL database -
The form validation is dealt with by another program that contains the html
form

I would like to ensure no-one can create a separate form and post to my
input program thereby bypassing my validation functions

My question is :- Is there a way I check that the $_POST vars have come from
a php file on the webserver and halt the sql input with a security warning
if they're coming from a different source?

Perhaps I'm approaching this from the wrong angle - Am I?
TIA

Dave

before you put anything into a database in which a user types or can
edit in anyway, such as any get or post variables, run them through
mysql_escape_string or mysql_real_escape_string at least.