Secure form submission - php

So I was just told that having this sort of thing visible whenever someone views the source on your front end is insecure:
<form action="http://www.somedomain.com/form.php" method="post">
Basically, that someone being able to see the php file that the form submits to is dangerous. Is this the case? If so, how do I make my visible source secure while still having the form submit to our hypothetical "form.php"?

first of all , php source code can't be viewed unless you restrict access to it via htaccess or other ways , secondly , your front-end source code must always be public because security issues aren't treated from the front to the back-end , thirdly , your php file's source can't be viewed like a css file or javascript code
if you want to restrict direct HTTP access to form.php , you could use .htaccess
i use this solution , some files are marked as somefile.php, but some util files are either stored in a folder or marked as utils.inc.php , so i make sure that i restrict direct access to inc.php files and allow everything else

I personally do not see a problem with showing the page which the form submits too, because once the user submits his/her enteries, the action="" will re-direct the user to the page stated anyway, so either way they will see where they will end up. Whether in the URL bar or the form scripts.
Just ensure you sanitize the user-input data before passing it through your database.
Depending what your using for your Database Interaction; there will be functions available to protect you from injection

Security by obscurity is a good policy in only very select, specific cases. But knowing where forms submit to – that's actually the nature of web forms. There's now way around that.
Even if the URL you submit to is somehow dynamically created for some kind of impression of security – just have a proxy between the browser and the server, and the entire HTTP dialogue is open to be read.

Related

preventing anyone from accessing back server pages

I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).

Ensure that PHP form process file is only used with specific web form page?

I am a little new to PHP, and I have gotten in the habit of creating a specific file that handles all the form processing.
For example, I have one PHP file that displays the actual form, let's called it "registration.php" for example, and it specifies as its action "registration-process.php". A user fills out the registration form on registration.php, hits submit, and the data is POSTed to registration-process.php because it was specified as the action file by the form.
Now my question is this: Can't someone who knows what they are doing POST data to registration-process.php without going through registration.php? This would have the potential to lead unexpected consequences.
Is there any way to ensure that registration-process.php will ONLY accept POSTed data from registration.php? Like maybe a hidden field with a value that gets encrypted via some PHP code, and that value gets checked by the registration-process.php file? I wouldn't know how to do that, however, or if that's even the best solution.
Yes, using a hidden "security token" field is a common way to verify a forms integriy. Many public forums are using this method.
Try Google for php form security token or check out this site:
http://css-tricks.com/serious-form-security/
Can you only accept POST data from one location, probably. It is worth it, probably not.
As long as you are validating your form fields correctly (make sure what you're getting is within the realm of what you're expecting) there won't be any negative consequences of leaving it so anything can POST to it.
Also, technically you can send POST data to any file on the web, it just depends on what the file does with it whether or not it means anything.
Also, what Mario Werner is talking about is CSRF tokens. That won't stop other things from posting to your site, it just adds a level of security that makes sure the request came from the right place. For a detailed explanation, you can read this: http://en.wikipedia.org/wiki/Cross-site_request_forgery

HTML 4 Website - User submits email address to access/download a file

We have an archaic website done completely in HTML 4, and I've been tasked with coming up with a way to have the user input their email address to access/download files.
After submitting their email address, it can either take them directly to the pdf file or be redirected to a "Thank You" page that has a link to the file.
We would then be able to see a list of the email addresses & who downloaded what.
I was told server side scripting language is required. To be honest, I have basic skills in coding, and I am completely stumped by this task. Any help (explained in simple terms please) would be greatly appreciated.
Thank you!
Jen
Your solution is going to be broken down into 2 parts, both server-side. Firstly, you will need some server-side code to handle the user input, and a database to store a mapping from email addresses to file names (although this can just be a text file sitting on the server).
Server-side script
You have a world of choices when it comes to server-side scripting languages, from the insanely popular PHP, which while supported from the majority of web-hosting companies, is riddled with bad design problems and (to my mind) should be avoided at all costs. However, it is still completely adequate for your purposes.
On the other end of the scale is the lightning fast node.js, which allows you to program your web application using JavaScript; this is arguably a more pleasant means to do so, but hosting is typically more expensive and geared towards web applications with large user bases.
There are many other possible solutions in between, but for argument's sake we'll assume you use PHP.
Database
The role of the database is simply to store the relationship between the email addresses and their respective file download paths. Again, there are a whole host of different solutions, and some may argue for or against them. One of the least-trusted solutions (but unfortunately, incredibly widely supported and tightly knit with PHP) is MySQL, which again for argument's sake, we'll use.
How it works
Your web application will first of all check for any user input (i.e. the user's email address submitted from an HTML form). Then:
If the user has not submitted anything, then output a page with an HTML form on it, which might look something like this:
<form action="thispage.php" method="post">
<input type="text" name="email" value="Enter your address here" />
<input type="submit" value="Get my file!" />
</form>
When the user clicks the submit button, the entered email address will be sent to thispage.php (or whatever you decide to call this script).
If the user has submitted an email address, (i.e. the user clicked the button in the above form), then we query the database with the email address to find out where the user's file is. There are a million-and-one tutorials on how to do this - there are straightforward examples for PHP here.
Once the file path has been retrieved from the database, you can either output some HTML as a 'Thank you!' page, with a link to the PDF file, or simply redirect them immediately by using the following code, where $URL is the URL of the file.
<?php
header('Location: ' . $URL);
?>
There are again alternatives to how you do this - if you want to keep the PDF file hidden from unauthorised eyes, you can store it somewhere on the server, inaccessible to the outside world, and then simply output the contents of the file into the page. This might look something like the following, where $path is the path to the PDF file on the server's filesystem:
<?php
header('Content-type: application/pdf');
echo file_get_contents($path);
?>
I hope this gets you started. If you need any more guidance, you're already in the right place to ask!
It depends on how much protection you want. If you want to make sure the file is completely inaccessible for people who don't input their e-mail address, you can block the file with the .htaccess file (in Apache). Then make a page to retrieve the file to download if the session that you previously set up was okay. I don't think that would be necessary from what you said. The other option is to make a page with a simple form, with action="somepage.php". On that page you would then retrieve the e-mail with $_GET or $_POST (that is, if you are using PHP), then save it in the database or a text file or something. (You could even send it to your e-mail) Then:
1) If you are using the protection I mentioned before, then set the session as OK (you can do this with session_start() at the beginning of the file and then include $_SESSION["gave_email"] = 'true';). Then test that variable to see if it is true. If it is true, redirect the user to the PHP page that shows the file. (The appropriate syntax for a check like this one might look like this:
(if isset($_SESSION["gave_email"] && $_SESSION["gave_email"] == true)
//you show the content, then reset the $_SESSION variable to false
2) If you are not worried about security, then simply redirect the user to the page you want (either directly to the file or to another page that contains a link for download).
To forward with PHP you can use header('Location: page.php'), where page.php is the page you want. The whole thing seems pretty simple, so if you have some more specific question in this, please ask it.
Try google feedburner. Its allow you to valid download verification When someone subscribe on your website using feedburner then download will be possible. The feedburner subscription is refresh in every 10 hour.
http://feedburner.google.com/

prevent direct access to jquery post url

i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.

Allow users to copy and paste code into their own website

I've developed a web application in PHP and MySQL. One part of the system I've been putting on hold for a while now, is allowing my users to create a simple form inside my application, and once they're done, copy and paste some code which I generate into their existing remote websites (IE: Contact Form) where this form should appear.
When visitors to their site enter their data into that "contact form" or whatever they've created, it should save the info into my application database where the users will be able to access it. It must be unobtrusive.
Is there anyone who can give me a good starting point on how to achieve this?
Im a little confused on what youre asking. Are you asking if there is a way to automatically copy the generated form to the clipboard, or how you set the form up to allow it to post data back to your own server?
If its the former, Bradley above pretty much explained it. If its the latter, then there are a couple of ways that you can go about doing it.
If you want it to submit the form without actually redirecting back to your own site, then you need to submit the form via AJAX (read XMLHttpRequest, or the $.ajax() function if youre using jQuery). The only problem here is that it violates the same origin policy since youd be submitting from a different domain. To fix this, you need to setup your webserver to allow cross domain requests so that it'll actually work.
JavaScript cannot access the clipboard to save (copy) text to memory. A general way around this is to use an invisible flash movie and place it over an input button so that 'clicking' the button triggers the flash script, which can utilize the clipboard.
I've used ZeroClipBoard in the past to do this, and I believe some of the syntax highlighting plugins out there use it as well.
http://code.google.com/p/zeroclipboard/

Categories