You might find these resources helpful:
http://education.nyphp.org/phundamentals/PH_spoofed_submission.php
http://shiflett.org/talks/oscon2004/php-security/36
Hope that helps.
Just wanted to chime in to the list and to Chris.
I've been mulling the example in the second link since last we talked about this, and I modified the example to make an even safer example (IMHO). The idea of using the plain "token" in the form, and using it to compare with the session wasn't sitting well with me for some reason (maybe bad karma in the air or something), so I borrowed an idea from a previous article you wrote on session hijacking, by utilising a "private key".
The goal, is so that one cannot really determine what the comparison token can be by looking at the hidden field value of "token".
Comments are welcome...
--- <?php
session_start();
$some_hidden_key = 'abcde...';
if (isset($_POST['message']))
{
if ($_POST['token'] . $some_hidden_key === $_SESSION['token'])
{
$message =
htmlentities($_POST['message']);
$fp = fopen('./safer.txt', 'a');
fwrite($fp, "$message<br />");
fclose($fp);
}
}$token = md5(uniqid(rand(), true)); $_SESSION['token'] = $token . $some_hidden_key;
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <input type="text" name="message"><br /> <input type="submit"> </form>
<?php readfile('./safer.txt'); ?>-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
