How do I verify that a post request is from my website?
Question
How do I verify that a post request is from my website and not an attacker?
I currently have a php script (in xampp) which accepts a post request containing an email. The php script fetches all user information correlating to that email from a phpmyadmin database, and echos it for my script to use.
My question is, (once I publish the site) how can I authenticate who is sending the email (via post) to the server, so that anyone who knows a user's email can't just steal their information?
2 answers
solution1
0 2020-08-09 09:32:49
You'll need some kind of authentication mechanism.
If you don't wanna implement an authentication (email + password), you could send an email to this address containing a link which authenticates this email and is valid for a limited time. Clicking on this link would lead the user to his user information.
solution2
0 2020-08-09 13:36:21
Use csrf token something like this
if (isset($_POST['submit'])) { if (!hash_equals($_SESSION['csrf'], $_POST['csrf'])) die();
And inside form
<input name="csrf" type="hidden" value="<?php echo escape($_SESSION['csrf']); ?>">
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.