PHP cross-domain form processing security
Question
I have several websites with email sign-up forms. I want to populate a central database on a different server then these websites. I was thinking about setting the action attribute of form to a webservice which is on the central database's server. This webservice could simply save the data into the database. What security solutions can you recommend to avoid hacking/flooding the central server?
One of the solutions would be to check the IP / domain where the data is comming from (my websites) and if it's a different one then block that IP.
What other solutions can you recommend? Captcha would not really work here I think.
2 answers
solution1
2 2012-11-26 10:13:34
If you are going to write a simple webservice, you can just set the action to the current server, and let a PHP script on that server communicate with the central database's webservice. This way, you can do authentication and you don't have any security complications.
solution2
0 2012-11-26 10:12:52
An alternative, more secure, solution would be to have a server-side proxy script running on each website which forwards the form input to your central webservice along with an application secret only known to the proxy and the receiver.
Very simple implementation (untested):
proxy.php
<?php
$secret = '[RANDOMSTRING]'
$webservice = 'https://www.yourhost.com/receiver.php'
$formData = serialize($_POST);
file_get_contents($webservice . '?secret=' . $secret . '&data=' . urlencode($formData));
?>
receiver.php
<?php
if ($_GET['secret'] == '[RANDOMSTRING]') {
$formData = unserialize($_GET['data']);
} else {
// ignore
}
NOTE: As there is only server to server communication involved (harden by using https), the risk of eavesdropping is neglectable.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.