[nycphp-talk] form spoofing
Michael Southwell
michael.southwell at nyphp.com
Tue May 1 11:33:48 EDT 2007
I thought I was following best practices (
http://www.nyphp.org/phundamentals/spoofed_submission.php ) in
creating a comment form for a restaurant client (There is no security
issue here; the comments are emailed):
I stored a random token in the session:
session_start();
if ( ! isset( $_SESSION['secret'] ) ) $_SESSION['secret'] = uniqid(
rand(), TRUE );
I hid that token in the form:
<form action="comments.php" method="post" onSubmit="return checkForm(this)">
<input type="hidden" name="secret" value="<?= $_SESSION['secret'] ?>" />
Upon submission, I checked for the token:
if ( $_POST['secret'] !== $_SESSION['secret'] ) die( 'invalid form
submission' );
But I still got obvious spoofed submissions, not very many of them,
and all vapid and often nonsensical (a sample: "I consider that
beside Your site there is future!"), but still maddening. So I added
a five-minute timeout:
if ( ! isset( $_SESSION['timeout'] ) ) {
$timeout = time() + 5 * 60;
$_SESSION['timeout'] = $timeout;
}
and checked for that as well:
$now = time();
if ( $_POST['secret'] !== $_SESSION['secret'] || $now >
$_SESSION['timeout'] ) die( 'invalid form submission' );
But this hasn't helped much; I still get a few of them, though I
can't figure out how they can be generated. Any advice?
Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses
More information about the talk
mailing list