Home > Developer > PHP

PHP prevents remote form submission

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
PHP prevents remote form submission to the Web by sharing information and services. The downside is that you can share information and services, because some people do things without scruples. Take the form as an example. Anyone can access a Web site and use File & gt; SaveAs in the browser to create a local copy of the form. Then, he can modify acti PHP to prevent remote form submission.

The advantage of Web is that information and services can be shared. The downside is that you can share information and services, because some people do things without scruples.
Take the form as an example. Anyone can access a Web site and use File> Save As on the browser to create a local copy of the form. Then, he can modify the action parameter to point to a fully qualified URL (not to formHandler. php points to http://www.yoursite.com/formhandler.php, because the table is on this site), make any modifications he wants, click Submit, the server will receive the form data as a valid communication stream.
First, you may consider checking $ _ SERVER ['http _ referer'] to determine whether the request comes from your own SERVER. this method can block most malicious users, but cannot block the best hackers. These people are smart enough to tamper with the reference information in the header so that the form's Remote Copy looks like it was submitted from your server.
A better way to process remote form submission is to generate a token based on a unique string or timestamp and place the token in session variables and forms. After submitting the form, check whether the two tokens match. If they do not match, someone tries to send data from the form's remote copy.
To create a random token, you can use the built-in md5 (), uniqid (), and rand () functions of PHP, as shown below:

? This technology is effective because session data in PHP cannot be migrated between servers. Even if someone has obtained your PHP source code, transfer it to your server and submit information to your server, your server only receives an empty or malformed session token and a previously provided form token. If they do not match, the remote form submission fails.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More