Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
620 views
in Technique[技术] by (71.8m points)

html - How do I prevent others from sending their own data to my php page?

Suppose I have a registration page in my website that contains a registration form:

<form action="register.php" method="post">
<input name="...">
<input...>
...
<input type='submit'>
</form>

Then someone else made his own page and used my form's action page:

<form action="http://mywebsitename.com/register.php" method="post">

Can he post his own data to my page this way? If so how can I prevent this?

Edit: It seems that using a token and storing its value in a session variable does not prevent someone from submitting data from his own form (even if the token is generated every page request) by first opening my original page (so a session for him is started and a token for that session is generated) and then using that token in his own form, while still in the session.
So I think Quentin is right, data must be validated anyway in the action page before it is accepted.

Thanks everybody.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Given:

  • Alice, a person with a browser
  • Bob, a person with a site (you)

There is no way for Bob to control what Alice submits. Your HTTP server is your public interface and you don't control what goes on outside it.

You must:

  • decide how much you trust the data coming in (auth / authz can help here)
  • sanity check submitted data (to see if it looks plausible (is this date a date? is this the 3rd account registration from the same ip address in the last 10 minutes? etc))
  • escape data before using it as code (e.g. in SQL statements or HTML documents)

If we add to the list of players:

  • Mallory, a malicious person with another site

You can make it very hard for Mallory to trick Alice into submitting malicious data (which would arrive with Alice's user credentials). The usual defences against CSRF (i.e. tokens that are unique per session and stored in the session data and in the form as a hidden input) should be used.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...