How can I protect a form processor script file?

StackOverflow https://stackoverflow.com/questions/21103736

  •  27-09-2022
  •  | 
  •  

Question

I have set up a rather complicated HTML form that uses the JQuery Validate plugin with several required fields and various rules. Form is working great. It POSTs to a separate PHP processor file that does a number of things such as send a couple of emails and eventually sends the user to Paypal. (It is a club membership application.) It appears that it only took about a week for some type of "bot" to find the processor file and start running it directly over and over. About 500 emails & apps were generated before I caught it and stopped it by renaming the files temporarily. At the time it was happening I wasn't quite sure exactly what was going on, but after evaluating it for most of the day I came to realize that it couldn't be as a result of the main form being executed, but by just running the processor file directly.

So...my question is this: How can I keep this from happening? There must be some type of coding to include that will ensure that the processor can't run unless it is really coming from the real HTML form...or is there a better way? I followed all of the "examples" on the 'Net in regards to forms and POSTing but nowhere did I see anything that relates to this type of problem.

Était-ce utile?

La solution

Generally this can be reduced by adding a CSRF token to the form.

Set a random sha/md5 value to your session, and set that value in the form also as a hidden input, upon a legit user sending the form that value will be passed along too, validate and check the passed value with the one in session. if all is good process.

If its a bot, the bot would need to parse the form for the CSRF token first. Or you could step up and make that security key an image and make the user type it (captcha).

How to properly add CSRF token using PHP

Its something you should also add to your login forms ect, else your have bots brute forcing there way in.

Autres conseils

Maybe you could add a $_SESSION[] global variable on the form page. Then check it on your processing page and unset it after execution. Sounds like the simplest way to me, but you should hear out what others suggest. You can fin documentation on $_SESSION[] variables here PHP $_SESSION

Add a token to the form when generating the page, and save it into the session.

When you got the post data, check the token with the one in the session.

And you probably want to use CAPTCHA code to protect yourself from the bots.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top