[PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread nashrul

This is a newbie question...
Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
submission from page1.php or page2.php will take user to page3.php.
I know that we can use parameter that is appended in the action attribute of
the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
But I think, appending this parameter is transparent to the user, since it's
visible in the url.
And I think we can also use the hidden field or (form name ??.).
So which one is most secured and better ??
Thanks..
-- 
View this message in context: 
http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html
Sent from the PHP - General mailing list archive at Nabble.com.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread Ashley Sheridan
On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote:
 This is a newbie question...
 Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
 submission from page1.php or page2.php will take user to page3.php.
 I know that we can use parameter that is appended in the action attribute of
 the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
 But I think, appending this parameter is transparent to the user, since it's
 visible in the url.
 And I think we can also use the hidden field or (form name ??.).
 So which one is most secured and better ??
 Thanks..
 -- 
 View this message in context: 
 http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html
 Sent from the PHP - General mailing list archive at Nabble.com.
 
 
Neither GET or POST is more secure, it's just that POST requires a tiny
bit more work to see what's being sent. You can use the
$_SERVER['HTTP_REFERER'] variable to detect where a request has come
from. The documentation for this particular variable mentions that it
can't be trusted, as it can be changed by the client browser, but then,
so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER
route, because it is completely transparent, and the majority of users
aren't going to bother changing it.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread kranthi
HTTP_REFERRER is transparent, but if can be messed with very easily. I
prefer use of $_SESSION vars if security is needed in my application
(epically when a page is shown after a POST request)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread Ben Dunlap
 This is a newbie question...
 Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
 submission from page1.php or page2.php will take user to page3.php.
 I know that we can use parameter that is appended in the action attribute of
 the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
 But I think, appending this parameter is transparent to the user, since it's
 visible in the url.

Why does it matter?

I don't meant to suggest that it doesn't, but I'm just wondering if
you could explain the design of your app a bit.

You've sketched out an attack scenario in which a user maliciously
alters a variable in the request so that page3.php thinks the request
is coming from page2.php, when in fact it's coming from page1.php --
or vice versa.

But suppose an attacker does trick page3.php into mistaking the origin
of the POST. Does it make a difference? Presumably page3.php will be
filtering all of its input, and will discard the request if, for
example, it claims to be from page2.php but doesn't contain the sort
of data that a request from page2 would contain.

But if it does contain the right data, and the data is valid, then
does it matter if the data was not actually collected on page2.php?
The statelessness of HTTP can be one of its beauties -- and I would be
inclined against introducing statefulness unless the app really needs
it.

At any rate your problem is reminiscent of CSRF:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

And I'm wondering if you could borrow from anti-CSRF techniques to
solve it (assuming, again, that it really needs to be solved).

Ben

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread Tom Worster
On 8/17/09 5:24 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote:

 On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote:
 This is a newbie question...
 Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
 submission from page1.php or page2.php will take user to page3.php.
 I know that we can use parameter that is appended in the action attribute of
 the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
 But I think, appending this parameter is transparent to the user, since it's
 visible in the url.
 And I think we can also use the hidden field or (form name ??.).
 So which one is most secured and better ??
 Thanks..
 -- 
 View this message in context:
 http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-r
 equest-comes-fromtp25003587p25003587.html
 Sent from the PHP - General mailing list archive at Nabble.com.
 
 
 Neither GET or POST is more secure, it's just that POST requires a tiny
 bit more work to see what's being sent. You can use the
 $_SERVER['HTTP_REFERER'] variable to detect where a request has come
 from. The documentation for this particular variable mentions that it
 can't be trusted, as it can be changed by the client browser, but then,
 so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER
 route, because it is completely transparent, and the majority of users
 aren't going to bother changing it.

your probably right. though i remember when i considered using HTTP_REFERER.
i looked up the http rfc and it said that use of the header was optional.
that made sense. so i decided not to make any of app functionality depend on
it.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] is there a better way to know from which php file the request comes from ??

2009-08-17 Thread Tom Worster
On 8/17/09 5:17 AM, nashrul anas_a...@yahoo.com wrote:

 This is a newbie question...
 Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
 submission from page1.php or page2.php will take user to page3.php.
 I know that we can use parameter that is appended in the action attribute of
 the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
 But I think, appending this parameter is transparent to the user, since it's
 visible in the url.
 And I think we can also use the hidden field or (form name ??.).
 So which one is most secured and better ??

i'm not in love with using the form POST method combined with an action url
that includes pseudo-GET parameters.

for POST forms, i use a convention of always having a hidden input in the
form to indicate which form sent the query, e.g.

input type=hidden name=whichform value=foobarform

this also comes in handy if one server script processes more than one form.

as for security, there's little difference between this method, using GET
values, using HTTP_REFERER, or what have you. protection against spoofing
lies not in these choices.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php