Form Posts from Outside Sites

Forum Moderators: open

Message Too Old, No Replies

Form Posts from Outside Sites

How to prevent it.

woop01

2:27 am on Oct 28, 2005 (gmt 0)

I realize I should know this but what's the best way to prevent outside form from posting to our site?

Example...

FormA on ServerA posts to PageB on ServerA

somebody creates...

FormA on ServerB that posts to PageB on ServerA

What do I need to do on PageB to prevent that from working?

txbakers

2:43 am on Oct 28, 2005 (gmt 0)

You can't prevent it from happening, but you can add some hidden parameters (server side) that prevents your query from running unauthorized.

something like a certain session variable, or even a static variable to check for a post value.

But anyone can write an HTML page and post it to anywhere.

Mokita

3:22 am on Oct 28, 2005 (gmt 0)

What do I need to do on PageB to prevent that from working?

What powers your form? Is it cgi-bin (perl), php or asp etc?

A well written form will have a condition that restricts posting from only URLs that you specify.

I use the Level 10 php form, which does that extremely well.
[leveltendesign.com...]

There are, of course, heaps of others to suit your needs.

carguy84

5:13 am on Oct 30, 2005 (gmt 0)

check the referer in the servervariables collection and deny access if they aren't coming from your domain.

Dijkgraaf

3:39 am on Oct 31, 2005 (gmt 0)

Referer can be spoofed, so don't rely on this.

Txtbakers suggestion of a hidden form variable is more reliable.
Have a hidden variable that is set using a server side method or formula that is not easy to guess.
On submission this variable is validated, and if it doesn't match, then reject the submission.

aspdaddy

8:10 pm on Oct 31, 2005 (gmt 0)

Use SSL to prevent request intercepts/spoofing, and then check these server variables:

REMOTE_ADDR
REMOTE_HOST
HTTP_REFERER
HTTP_X_FORWARDED