If Referer Not My Form Script, Then Block Access?

liunx

Guest
Hello everyone! <br /><br />I am using PHP and doing a simple html form that uses a 'post' method to a PHP script.<br />The script name is 'survey.php'. <br /><br />When the user fills out the required fields and hits 'submit', it goes to survey.php to process the form (which it is just sending results in a simple email). Then it goes to a thankyou.php page for confirmation and shows a special code.<br /><br />My problem is that I don't want a user to just be able to type the thankyou.php page in their browser without submitting the form. <br /><br />I tried using the idea shown on this thread at:<br /><a href="http://www.searchengineforums.com/apps/searchengine.forums/forum::php/thread::1086684316/action::thread/" target="_blank">http://www.searchengineforums.com/apps/sea...action::thread/</a> but to no avail. It just keeps printing that it was from a 'GET' instead of a 'POST', even though I am not using a GET.<br /><br />Please provide insight, or maybe i'm doing somethign wrong. Thanks in advance.<!--content-->
Hi Sarah,<br /><br />Why not add the special code you generate into the same php file as the form response. Then the only way to it is via the form.<!--content-->
I followed the link you gave and personally, I think the snippet they gave to use is useless. And depending on how air-tight you want it to be, checking the referrer is iffy too. I can quickly crank out a bit of code that posts data to your form (using post, not get) and grabs all the text of the next page that would be displayed on the thankyou.php page.<br /><br />Here's one way to do it.<br /><br />When they post the form, have it go to your survey processing script. Check for validity, check the safety of the information sent over, and if all seems to be "systems go", use php to include thankyou.php.<br /><br />Before you include thankyou.php you can write a snippet of code like this<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$secretWhatever = 'yadayada';<!--c2--></div><!--ec2--> <br /><br />Then, at the top of thankyou.php<br /><br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if($secretWhatever != 'yadayada') <br />{<br />echo 'You must submit the survey to reach this page'; <br />exit; <br />}<!--c2--></div><!--ec2--> <br /><br />There's a more advanced and secure way of doing it, but this will probably meet your needs.<br /><br />If you think that an advanced programmer will desperately want to get at thankyou.php without filling out your survey, then you need to know there are ways around this. But I'd venture to guess that this will solve your problem for 98% of the population.<!--content-->
I think these ideas will work since this is just a simple survey and really has no super important information (and the code is not really tracked -it just makes people fill out the survey to 'activate' their discount cards that we give out.<br /><br />The level of security I'm going for here is just light, something that the average user would be deterred.<br /><br />So in the last example, SUREFIRE wrote <br /><!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->$secretWhatever = 'yadayada'<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />Does this mean to put this hidden variable in my form processing script and then just check to see if it was set? The code I am showing the user is dynamically generated right on the thankyou.php page based on date and time of day. I don't think the snippet that surefire wrote could be used for that. I'm sorry for not saying that before, It was probably vital.<br /><br />But Instead of just redirecting the user to the thankyou.php page via a header() function, I could probably use the include function. Would I just say :<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if (!isset($submit)){<br />     print "you are not authorized to view page etc..";<br />    exit;<br />}else{<br />    include('thankyou.php);    //this page would show the secret code<br />}<!--c2--></div><!--ec2--><br /><br />I guess that would work right? However I want the form processing script to kinda be invisible to the user and if this is the case, they would see the address of my script in the browser in the directory, ie. scripts/survey.php. Id rather not show that. Any thoughts on this?<!--content-->
My understanding of your goals:<br />1- Simple but relatively secure<br />2- thankyou.php can't be seen unless your survey is filled out<br /><br />So, if I go to thankyou.php and my code is at the top<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if($secretWhatever != 'yadayada')<br />{<br />echo 'You must submit the survey to reach this page';<br />exit;<br />}<!--c2--></div><!--ec2--> <br /><br />Then I'll be blocked from access (especially if you turn off register_globals, which is on by default). Even with globals on, I'd have to be a good guesser<br />1- guess url of thankyou.php <br />2- guess variable name<br />3-guess variable value<br /><br />I'm also assuming that when you process the survey that you are checking the user input (which if you don't, is very dangerous). So, I'm expecting that in your code you have<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if(empty($_POST)) header('Location: errorpage.php');<br />/*at least we have some post vars to check, time to validate and screen*/<br />$vars = $_POST;<br /><br />if(isset($vars['fieldone']) && $vars['fieldone'] != '')<br />{<br />$good['fieldone'] == $vars['fieldone'];<br />}<br />else<br />{<br />/*error message goes here*/<br />}<br /><br />/*Rest of form field validation and checking goes here in your code*/<br /><br />...<br />...<br /><br />/*Okay, all the data checks out, is valid, and safe.  Let's show them the file*/<br /><br />$secretWhatever = 'yadayada';<br />/*without secret variable set, thankyou won't work */<br /><br />include 'thankyou.php';<!--c2--></div><!--ec2--> <br /><br />I noticed that you are writing code that doesn't make use of $_POST superglobal. This is a mistake that you should correct for two reasons<br />1- it's insecure<br />2- if TCH modifies your php.ini file and turns off register_globals, you're going to be wondering why your code stopped working all of a sudden<!--content-->
Surefire-<br /><br />Thank you so much for your coding suggestions. I was just looking through some of my old posts and realized you helped me with many php problems. Thank you <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><br /><br />No, I havent been using the $_POST superglobal.. I didn't realize anything about it, but I have my PHP handbook here and I'm going to read about it to make sure I use it correctly.<br /><br />Thanks for the replies and I will try writing some different code based on what you are saying, and make sure I use the global vars. I'll write again when I get something working and let everyone know how I made out.<br /><br />Thank you.<!--content-->
You're welcome.<!--content-->
I've turned register_globals OFF. <br /><br />Should I be referencing my form fields by '$_POST['fieldname']' or with the regular variable name such as '$fieldname' ? Or doesn't it matter?<!--content-->
$_POST['fieldname'] is the proper and safest way. (And I think with register globals off, it's necessary)<br /><br />From php.net<br /><!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up error_reporting() to show E_NOTICE level errors.<!--QuoteEnd--></div><!--QuoteEEnd--> <br /><br /><a href="http://us2.php.net/register_globals" target="_blank">http://us2.php.net/register_globals</a><br /><br />And here's a nice example from the php.net site of how they check their user input before adding a comment to their site:<br /><br /><a href="http://www.php.net/source.php?url=/manual/add-note.php" target="_blank">http://www.php.net/source.php?url=/manual/add-note.php</a><!--content-->
 
Back
Top