[PHP] is there a better way to know from which php file the request comes from ??
This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. Neither GET or POST is more secure, it's just that POST requires a tiny bit more work to see what's being sent. You can use the $_SERVER['HTTP_REFERER'] variable to detect where a request has come from. The documentation for this particular variable mentions that it can't be trusted, as it can be changed by the client browser, but then, so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER route, because it is completely transparent, and the majority of users aren't going to bother changing it. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
HTTP_REFERRER is transparent, but if can be messed with very easily. I prefer use of $_SESSION vars if security is needed in my application (epically when a page is shown after a POST request) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. Why does it matter? I don't meant to suggest that it doesn't, but I'm just wondering if you could explain the design of your app a bit. You've sketched out an attack scenario in which a user maliciously alters a variable in the request so that page3.php thinks the request is coming from page2.php, when in fact it's coming from page1.php -- or vice versa. But suppose an attacker does trick page3.php into mistaking the origin of the POST. Does it make a difference? Presumably page3.php will be filtering all of its input, and will discard the request if, for example, it claims to be from page2.php but doesn't contain the sort of data that a request from page2 would contain. But if it does contain the right data, and the data is valid, then does it matter if the data was not actually collected on page2.php? The statelessness of HTTP can be one of its beauties -- and I would be inclined against introducing statefulness unless the app really needs it. At any rate your problem is reminiscent of CSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery And I'm wondering if you could borrow from anti-CSRF techniques to solve it (assuming, again, that it really needs to be solved). Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:24 AM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-r equest-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. Neither GET or POST is more secure, it's just that POST requires a tiny bit more work to see what's being sent. You can use the $_SERVER['HTTP_REFERER'] variable to detect where a request has come from. The documentation for this particular variable mentions that it can't be trusted, as it can be changed by the client browser, but then, so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER route, because it is completely transparent, and the majority of users aren't going to bother changing it. your probably right. though i remember when i considered using HTTP_REFERER. i looked up the http rfc and it said that use of the header was optional. that made sense. so i decided not to make any of app functionality depend on it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:17 AM, nashrul anas_a...@yahoo.com wrote: This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? i'm not in love with using the form POST method combined with an action url that includes pseudo-GET parameters. for POST forms, i use a convention of always having a hidden input in the form to indicate which form sent the query, e.g. input type=hidden name=whichform value=foobarform this also comes in handy if one server script processes more than one form. as for security, there's little difference between this method, using GET values, using HTTP_REFERER, or what have you. protection against spoofing lies not in these choices. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php