form submit security with php

2019-07-14 04:38发布

I have users click on a link sent to their email that takes them to a form (say, register.php) to complete their registration.

I have a check upon form submission in register.php:

if(isset($_POST['submitted']) and $_SERVER['REQUEST_METHOD'] == 'POST') {
    //register user in database
}

My question is: could someone technically circumvent this formal registration process by simply creating a custom http POST request with $_POST['submitted'] set? If so, what's a good way to check for this? I have checks for someone trying to GET to the registration page in an unauthorized manner but I feel like someone POSTing to the page isn't secure enough. Should I even be worried about this if I decide to use HTTPS? I hope this makes sense. Thanks in advance.

标签： php security

2条回答

一纸荒年 Trace。

2楼-- · 2019-07-14 05:31

The issue you describe is called cross-site request forgery. The attack can be prevented by generating a token, and setting the value of a hidden input in the form to the token. Also, set a session variable to the token value. In your PHP form receiving the post data, check if the session token and the sent token match. If they match, the form came from your site.

Here is another stack overflow question that includes more details about preventing Cross-Site Request Forgery: How to prevent Cross-site request forgery (CSRF) effectively in PHP.

0人赞添加讨论(0) 举报

来，给爷笑一个

3楼-- · 2019-07-14 05:39

Best way is to install a captcha

https://www.google.com/recaptcha/intro/index.html

0人赞添加讨论(0) 举报

form submit security with php

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间