5 Replies - 1515 Views - Last Post: 18 November 2011 - 03:46 PM Rate Topic: -----

#1 putha-nee  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 168
  • Joined: 04-October 09

Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 09:07 AM

Hey guys,

I have a question regarding the $_GET part of PHP. If $_GET is used to retrieve login information submitted from a form in file1 and this information is passed to file2, is it possible to securitize file2 so that if a user directly puts in the link to file2, they get an error rather than beuing able to see anything in file2.

I am trying to develop a local test login form in a secure manner which is why i am trying to better understand this. I am almost sure its possible, just can't wrap my hands around how to secure it.

Is This A Good Question/Topic? 0
  • +

Replies To: Using $_GET to retrieve data from a form and securing the link

#2 Duckington  Icon User is offline

  • D.I.C Addict

Reputation: 170
  • View blog
  • Posts: 608
  • Joined: 12-October 09

Re: Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 09:25 AM

You could do a check on the referrer on file2, but I would advise you simply do not use GET. use POST.
Was This Post Helpful? 0
  • +
  • -

#3 putha-nee  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 168
  • Joined: 04-October 09

Re: Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 09:47 AM

How would you do a check on the referrer of file2 using POST?

I was upon the assumption that GET was the only way to do this because you have the full parameters in the URL and can check for the accordingly.

ex. http://localhost/php...bmitCredentials

Where submitbtn is the bogey to check for using the GET method...
Was This Post Helpful? 0
  • +
  • -

#4 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,991
  • Joined: 08-June 10

Re: Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 10:33 AM

Hey!

The problem with what you are asking, using either GET or POST, is that it is pretty easy to "fake" the form submission by constructing the requests by hand. The simplest form of this is to bypass a GET form by typing the data into the browser URL bar, but the same principle applies to POST requests as well.

For instance, this request could be used in place of both a POST and a GET form, while passing referer testing:
POST /page2.php?email=john.doe%40example.com&password=mypwd HTTP/1.1
Host: localhost
Referer: http://localhost/page1.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Connection: keep-alive

email=john.doe%40example.com&password=mypwd




The question I would like to ask is why do you want to prevent people submitting data without using your form? I mean, it's not like the above request, even though not submitted by your form, doesn't provide valid data.

One thing that springs to mind is preventing bots from trying to brute-force your logins. Well, there are other ways to combat that, besides trying to force the use of your form. It's common to add a max number of failed logins per IP address, so that if send an X number of invalid requests you are locked out for some time. And then there is always CAPTCHA checks.


If you really want people to use your form, however, you could use a session key to make that a little harder to bypass. Basically:
<?php
// On page1.php
session_start();

// Generate a unique key that you can use on page2
// to verify the form was acutally read
$key = sha1(uniqid() . mt_rand(1000, 9999));
$_SESSION['form_key'] = $key;
?>

<!-- And then inject it into the form like this: -->
<input type="hidden" name="form_key" value="<?php echo $key; ?>"/>


<?php
// On page2.php
session_start();

// Verify that the form_key was set and is valid.
if (!isset($_SESSION['form_key'], $_POST['form_key']) ||
    $_SESSION['form_key'] != $_POST['form_key']) 
{
    // Otherwise stop the script.
    unset($_SESSION['form_key']);
    die("You need to use the form to log in!");
}
?>


It's not going to stop anybody determined to bypass it, but it will make things a little more complicated.
Was This Post Helpful? 2
  • +
  • -

#5 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 947
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 12:08 PM

I wrote a tutorial on this not too long ago. Atli said in short the main content of it though.
Validating and Controlling Form Submissions
Was This Post Helpful? 0
  • +
  • -

#6 putha-nee  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 168
  • Joined: 04-October 09

Re: Using $_GET to retrieve data from a form and securing the link

Posted 18 November 2011 - 03:46 PM

Can this key also be used with $_GET?

And correct me if I am wrong but the following line is true when the key is not equal implying the user did not come through the first form

if (!isset($_SESSION['form_key'], $_POST['form_key']) ||
    $_SESSION['form_key'] != $_POST['form_key']) 


View PostAtli, on 18 November 2011 - 10:33 AM, said:

Hey!

The problem with what you are asking, using either GET or POST, is that it is pretty easy to "fake" the form submission by constructing the requests by hand. The simplest form of this is to bypass a GET form by typing the data into the browser URL bar, but the same principle applies to POST requests as well.

For instance, this request could be used in place of both a POST and a GET form, while passing referer testing:
POST /page2.php?email=john.doe%40example.com&password=mypwd HTTP/1.1
Host: localhost
Referer: http://localhost/page1.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Connection: keep-alive

email=john.doe%40example.com&password=mypwd




The question I would like to ask is why do you want to prevent people submitting data without using your form? I mean, it's not like the above request, even though not submitted by your form, doesn't provide valid data.

One thing that springs to mind is preventing bots from trying to brute-force your logins. Well, there are other ways to combat that, besides trying to force the use of your form. It's common to add a max number of failed logins per IP address, so that if send an X number of invalid requests you are locked out for some time. And then there is always CAPTCHA checks.


If you really want people to use your form, however, you could use a session key to make that a little harder to bypass. Basically:
<?php
// On page1.php
session_start();

// Generate a unique key that you can use on page2
// to verify the form was acutally read
$key = sha1(uniqid() . mt_rand(1000, 9999));
$_SESSION['form_key'] = $key;
?>

<!-- And then inject it into the form like this: -->
<input type="hidden" name="form_key" value="<?php echo $key; ?>"/>


<?php
// On page2.php
session_start();

// Verify that the form_key was set and is valid.
if (!isset($_SESSION['form_key'], $_POST['form_key']) ||
    $_SESSION['form_key'] != $_POST['form_key']) 
{
    // Otherwise stop the script.
    unset($_SESSION['form_key']);
    die("You need to use the form to log in!");
}
?>


It's not going to stop anybody determined to bypass it, but it will make things a little more complicated.

This post has been edited by putha-nee: 18 November 2011 - 04:12 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1