Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hiding the action on a page when the source is viewed? 2

Status
Not open for further replies.
trantron

trantron

Programmer
Joined
Feb 12, 2004
Messages
15
Location
US
The problem is that I have a validated form to collect basic info from the user like name and email etc. If one views the source code the action is visible, so along with that the name of the next php file can easily be identified. This php file is where the information is sent to the database.

This weekend somebody went on the site and by passed the validated form that collects the information and just went straight to the php file resulting in empty files being sent to the database. They did this repeatedly.

How can I prevent people from seeing or accessing that php file?

Thanks in advanced
 
Sort by date Sort by votes
Use sessions to be certain that the user has been coming from your own site.

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
Upvote 0 Downvote
A simpler way may be to just put a hidden field in the form and give it some value for example:
<input type="hidden" name="autho" value="whatever">

and then right at the top of your php script that processes that form put this (assuming the method is POST):


if (!$_POST[autho]) {
//then they didn't come from your form and should be redirected to it
header ("Location:exit;
}
 
Upvote 0 Downvote
Thanks.
Do you have any links handy that you can send me to for more info?
 
Upvote 0 Downvote
Can't the external site also include the same hidden field?

I direct-link to remote forms all the time and hidden links are no obstacle for an idiot like me. The only way to ensure that this remote form submission does not work is to establish a relationship with your visitor before they reach the form submission page. You can do this with cookies, sessions, or checking for referrer URLs. Sessions are most reliable.

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
Upvote 0 Downvote
Thanks Smashing. I think I will try this.
 
Upvote 0 Downvote
Ooops - one more method that I missed was a user challenge. You have most likely seen this before when doing registrations for email at yahoo.com or whois lookups at A small text string is presented as a graphic in the web page and the user must type the string in a form field to recognize that a human being is sending the form, not an automated function.

phpclasses.org has a good library of code to experiment with.

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
Upvote 0 Downvote
jimoblak , I'm not that of a genius (or idiot!) myself, I found this in the book that tought me PHP "PHP fast & easy web developement" by Julie C. Meloni. I guess if you're really commited to hacking a site you could overcome this by creating a form yourself and posting it to that script, but it probably would stop the average troublemaker with just a little more than average html knowledge. Besides, don't those browser messages for not accepting cookies get activated for sessions as well?
 
Upvote 0 Downvote
That's a good book but it and many others focus on 'fast and easy' while doing little with security. I'm still looking for a good book on that.

The problem that can occur with a hidden field is if it uses a static variable. So if I copy the hidden field into my own form, I could use it forever to submit to another site. You can defeat this if you pass a time-sensitive variable in the hidden field and verify the variable when it is accepted by your own server. But this can get more confusing than simply using sessions.

Employing a counter with sessions can also prevent multiple submissions, even if from your own form.

Hopefully those too paranoid to enable cookies will not be submitting their name and email on trantron's form.

I'm not discounting the hidden field idea. Trantron can simply cycle through all of the options listed here as each one is defeated. In a year or two we'll need to authenticate data submissions with a thumbprint and retina scan. I'm already hard at work trying to figure ways to defeat those identity checks.

- - picklefish - -
Why is everyone in this forum responding to me as picklefish?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
994
feherke
feherke
P
  • Locked
  • Question Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
969
Chris Miller
Chris Miller
c0deM0nK424
  • Locked
  • Question Question
Gutenberg Block Editor - page edits and updates not working since wp site migration
Replies
1
Views
1K
spamjim
spamjim
PeDa
  • Locked
  • Question Question
unwanted spaces inserted into the middle of php-generated html email body
Replies
2
Views
523
PeDa
PeDa
EdLentz
  • Locked
  • Question Question
I need a simple example of how to send a table of info .
Replies
8
Views
1K
EdLentz
EdLentz

Part and Inventory Search

Sponsor

Back
Top