14 Replies - 777 Views - Last Post: 16 August 2015 - 10:41 AM Rate Topic: -----

#1 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Access to php files

Posted 16 August 2015 - 12:04 AM

This must be a very stupid question, but I don.t know how to phrase it to look it up by myself.

Currently I have a number of php files located on a virtual server. Now, say, an html file (located on my server) has a form that submits something to an php script, but how does the php file know that the data it has been submitted is from the "right" html file. What if somebody knows how my php file works and creates a similar html file on his server, that will be sending request to my php file?

Is This A Good Question/Topic? 0
  • +

Replies To: Access to php files

#2 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6627
  • View blog
  • Posts: 30,868
  • Joined: 10-May 07

Re: Access to php files

Posted 16 August 2015 - 12:24 AM

Your form says which php file to use. There can't be two files with the same name.
Was This Post Helpful? 0
  • +
  • -

#3 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 12:34 AM

This is clear, but how does the php file know it has been sent info from "my" form? What if somebody else created a form and linked it to my php file?
Was This Post Helpful? 0
  • +
  • -

#4 ndc85430  Icon User is online

  • I think you'll find it's "Dr"
  • member icon

Reputation: 777
  • View blog
  • Posts: 3,172
  • Joined: 13-June 14

Re: Access to php files

Posted 16 August 2015 - 12:34 AM

There seems to be some confusion here. While the HTML file lives on the server, its contents are sent to the client (e.g. a browser) when requested (for example, by the client sending a GET request). The client submits the form data to the server.

The point here is that the client and server are decoupled. This means that, for example, the server can respond to requests from different kinds of clients - say browsers, or even other programs (look up how REST APIs are used, for example).

If you need to restrict access to the server, then you use a firewall or perhaps a proxy server to do so (I'm not too knowledgeable on these technologies).
Was This Post Helpful? 0
  • +
  • -

#5 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 12:39 AM

Maybe it is just my wording that confuses everybody.
Say I have myform.html that has a form that sends something to script.php

The myform.html knows where to send the info as I explicitly say that in the form.
The script.php on the other hand only uses $_POST to access the data. It doesn't care, whether this data has been sent from myform.html or somycreepyform.html placed somewhere else. No?

This post has been edited by alexstrinda: 16 August 2015 - 12:40 AM

Was This Post Helpful? 0
  • +
  • -

#6 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4240
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Access to php files

Posted 16 August 2015 - 12:43 AM

There are some quick and easy ways to determine this, albeit not 100% reliable methods.

The easiest is to check the $_SERVER["HTTP_REFERER"] value. If sent by a normal browser, that will hold the URL of the page that sent the POST request to your PHP file. In your case, it would be the URL of the HTML file with the form.

You can also replace your HTML page with a PHP page, and use it to record when users are served the form. Then only allow users that have previously looked at the form to actually submit it. (Using hidden form values with tracking numbers, for example, is a popular thing to do.)

Note though that none of that is exactly difficult to bypass, should somebody be really really determined to clone your form. You'd need to research more advanced form security methods to make things more difficult for such attackers.
Was This Post Helpful? 1
  • +
  • -

#7 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 12:53 AM

Is there an "outside" method to do this? Say, ask the host provider to restrict access between the files to only if they are in the same server folder?

I will look into the techniques you suggested as well.
Was This Post Helpful? 0
  • +
  • -

#8 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4240
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Access to php files

Posted 16 August 2015 - 01:29 AM

The short answer is: No.

The main thing to realize here is that the files themselves are in no way interacting with each other. The browser is always sitting in between them.

The host would have no way to determine whether the PHP script is really receiving data from a form in the HTML file sitting in the same directory.

The only way to do that is using something like the methods I mentioned earlier, and those are not perfect.
Was This Post Helpful? 1
  • +
  • -

#9 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 04:59 AM

Hi, I am somewhat stuck again.

1) I researched the $_SERVER["HTTP_REFERER"] method, but it i said that not all browsers provide this information (pass it), so there is no guarantee that it will work.

2) As with tracking numbers, I tried to look it up, but couldn't find much. Currently I am using session number to login. As long as the person is not logged in he will be always redirected to the main page. But if he is logged in, then it's a problem as he can then use the cloned form.

Anything else I can search for?
Was This Post Helpful? 0
  • +
  • -

#10 astonecipher  Icon User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2481
  • View blog
  • Posts: 9,941
  • Joined: 03-December 12

Re: Access to php files

Posted 16 August 2015 - 06:55 AM

Lookup session usage.

Change the html to a php file and add a microtime stamp to a session variable. Store that timestamp in a data table with a hasBeenUsed flag.

When a form submits, check the databases for the timestamp, flag, and difference between submitted and served values. If it violates any of those, deny the values submitted.

Overkill, but it should limit what comes in. Why so worried?

This post has been edited by astonecipher: 16 August 2015 - 06:56 AM

Was This Post Helpful? 2
  • +
  • -

#11 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 08:34 AM

Huh:) I am learning PHP & MYSQL at the moment (I have found a nice book) and I just thought that, probably, compromising forms would be the easiest way of all (all those MySQL injections, cookie stealing ... ).

As for the project - nothing serious - making a small shop for a school educational game where students first invent technologies and then place them on sale. I doubt anybody will try to hack it ))
Was This Post Helpful? 0
  • +
  • -

#12 astonecipher  Icon User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2481
  • View blog
  • Posts: 9,941
  • Joined: 03-December 12

Re: Access to php files

Posted 16 August 2015 - 09:18 AM

Then, at this stage don't worry about it. Rarely are those kind of measures needed.


:rockon:
Was This Post Helpful? 0
  • +
  • -

#13 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3777
  • View blog
  • Posts: 13,676
  • Joined: 08-August 08

Re: Access to php files

Posted 16 August 2015 - 10:26 AM

It doesn't matter where the form came from because the data can't ever be trusted to be safe . What matters is that your PHP and database access code handles the request properly. That's why, for example, prepared statements are critical.
Was This Post Helpful? 2
  • +
  • -

#14 alexstrinda  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 14-August 15

Re: Access to php files

Posted 16 August 2015 - 10:35 AM

Ok, yes, I understand. That's why i am writing my code using those, even though I can't yet decide whether to go with mysqli or PDO. The book I am reading uses mysqli, and I am somewhat used to the procedurial style, but it is never late to change, I guess.
Was This Post Helpful? 0
  • +
  • -

#15 astonecipher  Icon User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2481
  • View blog
  • Posts: 9,941
  • Joined: 03-December 12

Re: Access to php files

Posted 16 August 2015 - 10:41 AM

True and every instance I can imagine where this is needed would also be using login credentials.

My preference is PDO, because if you decide down the line to change from mysql to sql server or any other flavor, it is minimal changes. Mysqli is specific.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1