is there a better way to know from which php file the requestcomes from ??

This is a newbie question...
Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
submission from page1.php or page2.php will take user to page3.php.
I know that we can use parameter that is appended in the action attribute of
the form (e.g

Re: is there a better way to know from which php file therequest comes from ??

On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote:
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..
> --
> View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-whi ch-php-file-the-request-comes-from----tp25003587p25003587.ht ml
> Sent from the PHP - General mailing list archive at Nabble.com.
>
>
Neither GET or POST is more secure, it's just that POST requires a tiny
bit more work to see what's being sent. You can use the
$_SERVER['HTTP_REFERER'] variable to detect where a request has come
from. The documentation for this particular variable mentions that it
can't be trusted, as it can be changed by the client browser, but then,
so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER
route, because it is completely transparent, and the majority of users
aren't going to bother changing it.

Thanks,
Ash
http://www.ashleysheridan.co.uk


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the

HTTP_REFERRER is transparent, but if can be messed with very easily. I
prefer use of $_SESSION vars if security is needed in my application
(epically when a page is shown after a POST request)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the request comes from ??

If u need a solution to know where the request comes from on a certain
secure level u can use cookies.

u might also have run into pages on the web giving u hard readable images u
have to put into a form field. toghether with cookies these design gives u
1000% from where the form data come.

depends what security level u whant to implement

regards
ralph_deffke@yahoo.de


"nashrul" wrote in message
news:25003587.post@talk.nabble.com...
>
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute
of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since
it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..
> --
> View this message in context:
http://www.nabble.com/is-there-a-better-way-to-know-from-whi ch-php-file-the-request-comes-from----tp25003587p25003587.ht ml
> Sent from the PHP - General mailing list archive at Nabble.com.
>



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file therequest comes from ??

On Mon, 2009-08-17 at 19:04 +0200, Ralph Deffke wrote:
> If u need a solution to know where the request comes from on a certain
> secure level u can use cookies.
>
> u might also have run into pages on the web giving u hard readable images u
> have to put into a form field. toghether with cookies these design gives u
> 1000% from where the form data come.
>
> depends what security level u whant to implement
>
> regards
> ralph_deffke@yahoo.de
>
>
> "nashrul" wrote in message
> news:25003587.post@talk.nabble.com...
> >
> > This is a newbie question...
> > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> > submission from page1.php or page2.php will take user to page3.php.
> > I know that we can use parameter that is appended in the action attribute
> of
> > the form (e.g )
> > But I think, appending this parameter is transparent to the user, since
> it's
> > visible in the url.
> > And I think we can also use the hidden field or (form name ??.).
> > So which one is most secured and better ??
> > Thanks..
> > --
> > View this message in context:
> http://www.nabble.com/is-there-a-better-way-to-know-from-whi ch-php-file-the-request-comes-from----tp25003587p25003587.ht ml
> > Sent from the PHP - General mailing list archive at Nabble.com.
> >
>
>
>
Nothing that comes from the client can be considered secure, so cookies
are out too I'm afraid.

Thanks,
Ash
http://www.ashleysheridan.co.uk




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the

> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since it's
> visible in the url.

Why does it matter?

I don't meant to suggest that it doesn't, but I'm just wondering if
you could explain the design of your app a bit.

You've sketched out an attack scenario in which a user maliciously
alters a variable in the request so that page3.php thinks the request
is coming from page2.php, when in fact it's coming from page1.php --
or vice versa.

But suppose an attacker does trick page3.php into mistaking the origin
of the POST. Does it make a difference? Presumably page3.php will be
filtering all of its input, and will discard the request if, for
example, it claims to be from page2.php but doesn't contain the sort
of data that a request from page2 would contain.

But if it does contain the right data, and the data is valid, then
does it matter if the data was not actually collected on page2.php?
The statelessness of HTTP can be one of its beauties -- and I would be
inclined against introducing statefulness unless the app really needs
it.

At any rate your problem is reminiscent of CSRF:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

And I'm wondering if you could borrow from anti-CSRF techniques to
solve it (assuming, again, that it really needs to be solved).

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file therequest comes from ??

On 8/17/09 5:24 AM, "Ashley Sheridan" wrote:

> On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote:
>> This is a newbie question...
>> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
>> submission from page1.php or page2.php will take user to page3.php.
>> I know that we can use parameter that is appended in the action attribute of
>> the form (e.g )
>> But I think, appending this parameter is transparent to the user, since it's
>> visible in the url.
>> And I think we can also use the hidden field or (form name ??.).
>> So which one is most secured and better ??
>> Thanks..
>> --
>> View this message in context:
>> http://www.nabble.com/is-there-a-better-way-to-know-from-whi ch-php-file-the-r
>> equest-comes-from----tp25003587p25003587.html
>> Sent from the PHP - General mailing list archive at Nabble.com.
>>
>>
> Neither GET or POST is more secure, it's just that POST requires a tiny
> bit more work to see what's being sent. You can use the
> $_SERVER['HTTP_REFERER'] variable to detect where a request has come
> from. The documentation for this particular variable mentions that it
> can't be trusted, as it can be changed by the client browser, but then,
> so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER
> route, because it is completely transparent, and the majority of users
> aren't going to bother changing it.

your probably right. though i remember when i considered using HTTP_REFERER.
i looked up the http rfc and it said that use of the header was optional.
that made sense. so i decided not to make any of app functionality depend on
it.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file therequest comes from ??

On 8/17/09 5:17 AM, "nashrul" wrote:

> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??

i'm not in love with using the form POST method combined with an action url
that includes pseudo-GET parameters.

for POST forms, i use a convention of always having a hidden input in the
form to indicate which form sent the query, e.g.



this also comes in handy if one server script processes more than one form.

as for security, there's little difference between this method, using GET
values, using HTTP_REFERER, or what have you. protection against spoofing
lies not in these choices.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the requestcomesfrom ??

nashrul wrote:
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..

I personally don't see a problem with using get or post vars, but to
keep the user from being able to manipulate it do this. This could also
be in a header file included at the top of all pages:

//page1.php and page2.php
session_start();
$_SESSION['page'] = $_SERVER['PHP_SELF'];

//page3.php
session_start();
$page = $_SESSION['page']
// use $page somehow . . .

--
Thanks!
-Shawn
http://www.spidean.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the

On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzie wrote=
:
> nashrul wrote:
>> This is a newbie question...
>> Let's say there are 3 php files, page1.php, page2.php and page3.php. For=
m
>> submission from page1.php or page2.php will take user to page3.php.
>> I know that we can use parameter that is appended in the action attribut=
e of
>> the form (e.g )
>> But I think, appending this parameter is transparent to the user, since =
it's
>> visible in the url.
>> And I think we can also use the hidden field or (form name ??.).
>> So which one is most secured and better ??
>> Thanks..
>
> I personally don't see a problem with using get or post vars, but to
> keep the user from being able to manipulate it do this.  This could =
also
> be in a header file included at the top of all pages:
>
> //page1.php and page2.php
> session_start();
> $_SESSION['page'] =3D $_SERVER['PHP_SELF'];
>
> //page3.php
> session_start();
> $page =3D $_SESSION['page']
> // use $page somehow . . .
>
> --
> Thanks!
> -Shawn
> http://www.spidean.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

This approach degrades very simply:

1) Say you have four pages, a.php, b.php, c.php and d.php.
2) b expects user to come from a, d from c.
3) I open two tabs, a.php and c.php.
4) $_SESSION['from'] is now c.php
5) I post to b from a, get an error. $_SESSION['from'] is now b.php.
6) I post to d from c and get an error.

Obviously this example is a tad bit contrived, but as long as your
user is browsing your site in more than one tab/window, using that
approach will break often and result in a user experience, so I'd
stick away from it.

As far as relying on cookies, HTTP headers, hidden form fields, etc.
they are all user input, and Lesson 1 in Security 101 that you don't
trust user input. Ever. I always assume that the best HTTP blackhats
are after my sites when I write them and make them unnecessarily
overthought, but they're secure. I even let a few
(black|white|grey)hat friends of mine take a peak at the code, when I
can, to get their input. If you can think of a way to exploit your
code, so can someone else. And so will someone else.

Generally speaking, I'm not entirely sure that this is a question that
even needs an answer. I'm going to have to echo a sentiment from
earlier in the thread that you need to be validating all of your data
anyway, so it shouldn't matter if I POST to page3 from page2 or from
page1 or from a CLI app written with curl/wget. What should matter is
whether or not the data I'm POST'ing meets the security criteria that
you've dictated (whatever that may be) and gets properly
escaped/filtered before being entered into the database or otherwise
used. I'd venture so far as to say that if you need to care about
where a form is POST'd from for security, you have a flawed security
model and in all likelihood a very insecure application and some
serious refactoring to do.

I can't imagine a situation where dictating page2 comes from page1 and
page3 comes from page2 is necessary for security at all. Perhaps I'm
being shortsited and you can provide some examples?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the requestcomesfrom ??

Eddie Drapkin wrote:
> On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzie wrote:
>> nashrul wrote:
>>> This is a newbie question...
>>> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
>>> submission from page1.php or page2.php will take user to page3.php.
>>> I know that we can use parameter that is appended in the action attribute of
>>> the form (e.g )
>>> But I think, appending this parameter is transparent to the user, since it's
>>> visible in the url.
>>> And I think we can also use the hidden field or (form name ??.).
>>> So which one is most secured and better ??
>>> Thanks..
>> I personally don't see a problem with using get or post vars, but to
>> keep the user from being able to manipulate it do this. This could also
>> be in a header file included at the top of all pages:
>>
>> //page1.php and page2.php
>> session_start();
>> $_SESSION['page'] = $_SERVER['PHP_SELF'];
>>
>> //page3.php
>> session_start();
>> $page = $_SESSION['page']
>> // use $page somehow . . .
>>
>> --
>> Thanks!
>> -Shawn
>> http://www.spidean.com
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> This approach degrades very simply:
>
> 1) Say you have four pages, a.php, b.php, c.php and d.php.
> 2) b expects user to come from a, d from c.
> 3) I open two tabs, a.php and c.php.
> 4) $_SESSION['from'] is now c.php
> 5) I post to b from a, get an error. $_SESSION['from'] is now b.php.
> 6) I post to d from c and get an error.
>

Yep, I didn't really think it through :-(

--
Thanks!
-Shawn
http://www.spidean.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: is there a better way to know from which php file the request comes from ??

I was reviewing ur post, and thinking u might talk about a pretty common
application like in a sequence of order form u want first the billing data
then the shipping data. for both u need just the same form u then process on
script3.

in such a case it doesn't matter if u use hidden fields or url parameter,
GET or POST to run different code for each form data in sript 3 neither can
I see a security issue here. u processing only the variables u defined. and
what does it matter if you have an hidden field like stepp=1 or stepp=2 and
a bored user put just for fun stepp=99 to piek ur ass. just take care in ur
code for it and display something (e.g. "hang on , big brother is watching
u")

this is good practice and common all over. any PHPer got his own way to do
it, and I think u r in the process to find urs. just try what u like best.

if you have a real security issue come back with more details about the
SECURITY issue and I m shure the group will have a good brainstorm going
again.

have fun
ralph_deffke@yahoo.de

"nashrul" wrote in message
news:25003587.post@talk.nabble.com...
>
> This is a newbie question...
> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
> submission from page1.php or page2.php will take user to page3.php.
> I know that we can use parameter that is appended in the action attribute
of
> the form (e.g )
> But I think, appending this parameter is transparent to the user, since
it's
> visible in the url.
> And I think we can also use the hidden field or (form name ??.).
> So which one is most secured and better ??
> Thanks..
> --
> View this message in context:
http://www.nabble.com/is-there-a-better-way-to-know-from-whi ch-php-file-the-request-comes-from----tp25003587p25003587.ht ml
> Sent from the PHP - General mailing list archive at Nabble.com.
>



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php