如何保护控制器中的代码点火器功能？

Question

I am currently developing something in codeigniter, a project that i need a little more security. (I bought an ssl certificate)

I saw that if i create a function, let's say the one that is called when i submit the account details to register an account, i can access it easy directly calling it.

First of all it looks bad. I wonder also if there is any security concerns i should worry about.

I found on the internet that a way of blocking direct access is to put this in every function:

$THE_REFER = strval(isset($_SERVER['HTTP_REFERER']));
if (!$THE_REFER)
redirect('home'); 

But doesn't look too professional.

Thank you

Answer 1

Are you looking for public vs private functions?

HTML

<form method="POST" action="/validate/register">
    <!-- username, password, blah blah blah -->
</form>

PHP (validate.php)

class Validate extends CI_Controller {

    // accessible in URL
    public function register()
    {
        if($this->check_credentials())
        {
            // success message
        }
        else
        {
            // error message
        }
    }

    // accessible only in this class/controller
    private function verify_info()
    {
        // logic to check if info is good
        // work in CSRF token protection
        // return true or false
    }
}

Answer 2

The HTTP Referrer header contains whatever the client wants it to contain.

You could store ( server side ) a timestamp against the session to record the client has loaded the account details form, then verify this record when you get an account submission . It is up to you whether this record would be cleared if the user accesses other pages and how long it would remain valid.

There is no single easy solution as your ability to verify the client is limited. You must balance the effort you invest in security with the value of the data (and trust) you seek to protect and the degree to which you are exposed.