homepage Welcome to WebmasterWorld Guest from 23.20.34.25
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
How can I block remote post to a form?
peace




msg:4191718
 1:18 am on Aug 25, 2010 (gmt 0)

Hi there,

I'm running a php based website and I'm getting a lot of posts to my forms remotely.

Is any way to prevent this using php or .htacces. Any tip o a site from where I should start?

Thank you in advance.

 

SevenCubed




msg:4191745
 2:55 am on Aug 25, 2010 (gmt 0)

Validate for a http referrer. At the top of your form handling page you can add something like this:

<?php

$origin="https://example.com/contact.php";
$referral=$_SERVER["HTTP_REFERER"];
$refervalid=0;
if($referral==$origin) $refervalid=1;
if(!$refervalid){
echo "<script type=\"text/JavaScript\"><!--\n ";
echo "top.location.href = \"$origin\"; \n// --></script>";
exit;
}

?>

What the above does is that if the source of your form being filled out didn't come from your own site, or if the UA is an empty string like many badbots, it will send the request back to your contact page to be submitted.

peace




msg:4191746
 3:04 am on Aug 25, 2010 (gmt 0)

SevenCubed, thank you for the code. You know what, the form is dynamically referred from the product's page, I can fix a static $origin. May be it is possible but I'm still learning.
Thanks.

SevenCubed




msg:4191750
 3:11 am on Aug 25, 2010 (gmt 0)

Oops, wait a minute, that code above works but it also has an "Notice: Undefined index" error, give me a few minutes and I'll rework it and repost.

peace




msg:4191754
 3:14 am on Aug 25, 2010 (gmt 0)

Thanks

SevenCubed




msg:4191755
 3:34 am on Aug 25, 2010 (gmt 0)

Actually it should be ok, I'm getting messed up here with my own environment variables. I just tried it on a live server with javascript disabled and didn't get any error then with javascript enabled and it performed as expected.

Hope it is something you can work with or rework as you said. Maybe someone else might jump in with something easier too because there are always so many ways to accomplish the same need.

SevenCubed




msg:4191760
 3:55 am on Aug 25, 2010 (gmt 0)

Ohhh it's been a long day. In the above I only considered for if someone is trying to load your validating page directly. I forgot to account for a submission from your form so this should be it:

<?php

$referral=$_SERVER['HTTP_REFERER'];
$origin="https://example.com/contact.php";
$refervalid=0;
if($referral==$origin) $refervalid=1;
if((!$refervalid) OR ($_POST["validated"]!=variable-passed-from-form)){
echo "<script type=\"text/JavaScript\"><!--\n ";
echo "top.location.href = \"$origin\"; \n// --></script>";
exit;
}

?>

But please do try it in non-production environment first because I didn't test this last one but have to get out of here for the night :)

rocknbil




msg:4191766
 4:26 am on Aug 25, 2010 (gmt 0)

That will help, but the real problem stems from them being able to get something through they shouldn't. Cleanse and filter your input.

Some searches here that will help [google.com]

peace




msg:4191975
 2:48 pm on Aug 25, 2010 (gmt 0)

Thank you SevenCubed. I tried and it works!

Rocknbil, what you say is true, do you have something could recommend me... at least, at link where I can learn about the options I may have?
Thanks

peace




msg:4192757
 8:18 pm on Aug 26, 2010 (gmt 0)

Any one can give me a suggestion for when referrer are dynamic pages?

adephue




msg:4193440
 10:14 am on Aug 28, 2010 (gmt 0)

I read somewhere that HTTP_REFERER is not 100% reliable. I guess my solution isn't either, but it works very well for our purposes. Here's what I do...

1. Leave the action attribute of the form blank in the html <form> tag. Then when the form is submitted, use javascript to populate the action attribute. jQuery makes this easy.

<form id="nospam" action=""></form>

This goes a long way to thwart crawlers looking for form processing scripts. It won't stop a curious spammer willing to look at your source code. The jQuery to handle this might look something like this...

// This jQuery
$(document).ready(function () {
$('form#nospam').submit(function () {
$(this).attr('action','/path/to/form/processing/script');
return true;
});
});


The drawback here is that if a user doesn't have javascript enabled, they can't submit the form. Also, this usually only helps when implemented ~before~ a form is live. If spam bots already have the URL of your form processor, you'll need more protection. Read on...

2. Use PHP to generate a hash on the page where the form is, include it as a hidden form element, then check it when the script is submitted. For example, if my form is on form.php and the processor is check.php I would do this...

// Before the form is output on form.php
session_start();
$hash = md5(date(str_shuffle('aAbBCcDdEeFf...')));
$_SESSION['form_hash'][md5('/path/to/check.php')] = $hash;


Replace '/path/to/check.php' with what will be reflected by $_SERVER['REQUEST_URI'] when the form is submitted to the processing script. Now, insert this hash into the form as a hidden field.

<input type="hidden" name="hash" value="<?php echo $hash; ?>" />

When the form is submitted, check the hash against what you generated...

session_start();
$hash = $_SESSION['form_hash'][md5($_SERVER['REQUEST_URI'])];
// You MUST unset the hash so that they only get one try
unset($_SESSION['form_hash'][md5($_SERVER['REQUEST_URI'])]);
if($hash === $_POST['hash']) {
//Process the submission...
}
else {
//Send them somewhere else
}


This approach stops spam robots from remotely posting to your form processor because they didn't hit the form first to get the hash stored in a session variable. Whoever wants to submit your form must actually visit the page first. This approach does not stop someone who loads the form and manually submits spam.

I have had several clients come in having issues with automated spam posts. I usually implement both. I change the URL of the form processor then use a blank action attribute, then implement the URL-based hash to make sure that the user actually hits the form before submitting it.

peace




msg:4195365
 1:18 am on Sep 2, 2010 (gmt 0)

Thank you adephue, I went with option two and it works as expected. Hope to fix the issue.
Thank you for your help.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved