stackoom
  简体   繁体   中英

How to protect form data on my site?

 原文  2016-02-06 10:09:45       php/ security/ post

Question

I have this page which posts data to another url. I tried using cURL but didn't work since I need the user to be redirected to the destination website and cURL was just bringing it into the current one. So what I'm doing is 

<form action='http://destination.com' method='post' name='frm'>
 <input type='hidden' name='account_id' value='<?php echo $_SESSION["accont_id"]; ?>'>
</form>
<script>
 document.frm.submit();
</script>

But obviously this is totally insecure, and any user using a program like charles proxy can intercept and change this data. Is there a way to protect it? Validation won't do the job because the users are aware of the kind of data my database have, they know everyone's account id and I can't change that. What can I do? Maybe encryption will work? Even if the user is able to change the data it's ok as long as they can't change it to other valid account's id. I'm thinking in something like secret/hash but can't put all together in my mind.

I tried using this: 

$url = 'http://www.destination.com'; 
$curl = curl_init(); 
curl_setopt($curl, CURLOPT_HTTPHEADER, $header); 
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
curl_setopt($curl, CURLOPT_AUTOREFERER, true); 
curl_setopt($curl, CURLOPT_URL, $url);  
curl_setopt($curl, CURLOPT_POST, 1);  
curl_setopt($curl, CURLOPT_POSTFIELDS, 'account_id='.$_SESSION["account_id"]);  
curl_exec($curl);
curl_close($curl); 
echo "<meta http-equiv='refresh' content='0;url=http://destination.com'/>";

But the page was redirected and no data arrived. The post wouldn't go through

1 answers

solution1
 1 ACCPTED  2016-02-06 14:03:00

The bottom line of the discussion in the comments above results in this approach to what you actually try to do:

You make the cURL request to the remote system posting the user id, so server to server. The remote system creates some random token (random 32 char string) and returns that, it stores that token together with the posted user id for later reference. Now the local system sends a redirection header to the client which includes that token. That leads to the client making a request to the remote system claiming the token it was handed. The remote system checks for a stored token, can derive the user id from it, create a user session and delete the token.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How could I protect my paypal form How can I protect my site from being leeched? How can i protect a URL/Directory in my site? my site got defaced. how to protect myself on shared hosting? How to protect my form input field data from a user to changes in the console? How to prevent my site form being parsed? How to protect a submit form from how to protect a site-wide secret key How to protect a site from (google) caching? How to pre-populate a form on Site B with data from Site A
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM