How do I prevent others from sending their own data to my php page?

Question

Suppose I have a registration page in my website that contains a registration form:

Answer 1

You can include a token in your form that only your site would know (and store it in a session variable). Then when the form is submitted you check to see if that token exists and is valid. If it is, continue processing the form. If it isn't, throw an error.

This is also very useful for defending against Cross-Site Request Forgery (CSRF) attacks.

Answer 2

One method is to have a token (which could be a long string of random letters and numbers) that you place in a hidden input field in your form. For example

<form action="register.php" method="post">
    <input type="hidden" name="token" value="345kfnakvngk3kglvnd00dsg9" />
</form>

Then when you process your form submit you can check to see if this token exists and it matches the token you are expecting. Of course someone could easily check your source code to find the token so you may want to make a token that expires.

For example when the page with the form loads you could save the token to a session

$_SESSION['token'] = '345kfnakvngk3kglvnd00dsg9';

then you can check to see if the $_POST value matches the value in the session. By using a new token on each page request it makes it more secure.

Using this kind of approach should go some way to stopping spammers but you still need to be careful with what you do for the form submits that you do process. Basically a good rule is to treat anything that get submitted through your form as a threat you so you will want to

• Sanitize any data that you are going to insert into your database
• Strip out any JavaScript that may have been injected
• Only allow files with certain extensions to be uploaded

etc

Answer 3

Given:

• Alice, a person with a browser
• Bob, a person with a site (you)

There is no way for Bob to control what Alice submits. Your HTTP server is your public interface and you don't control what goes on outside it.

You must:

• decide how much you trust the data coming in (auth / authz can help here)
• sanity check submitted data (to see if it looks plausible (is this date a date? is this the 3rd account registration from the same ip address in the last 10 minutes? etc))
• escape data before using it as code (e.g. in SQL statements or HTML documents)

If we add to the list of players:

• Mallory, a malicious person with another site

You can make it very hard for Mallory to trick Alice into submitting malicious data (which would arrive with Alice's user credentials). The usual defences against CSRF (i.e. tokens that are unique per session and stored in the session data and in the form as a hidden input) should be used.

Answer 4

After submitting the form, the request goes to a php page. In that page you use the below code to check if its coming from your domain:

if(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) == "yourdomain.com") {

     //process the request
} else {

     echo "Sorry";

}

EDIT: Agree. This is not secure. Just a bad hack

Answer 5

Create a random token and send it along with the form data as a hidden html element. Bind the token along with the user session and validate it once the form is submitted/posted back. The other guy cannot send this random token as your server will not have that token in the session.

Also use X-Frame-Options header to avoid usage of your page as an iframe in his website. Hope this helps.