Fake $ _POST via PHP

Question

Fake $ _POST via PHP

Now I'm all funky for safety, so I'm going to make everything as safe as possible. I got a login and I refer to this:

http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/

The first example is the login, and if you say ?authorization=1 , you come in. But if I wrap my code around if($_POST) , then the user MUST make a message. Can a user fake $_POST ? How do I start pretending to be $_POST ?

+4

security http post php

Howdy_mcgee Jul 28 '11 at 18:58

source share

8 answers

Yes, they can.

With cURL and other HTTP clients, anyone can fake this.

Keep track of it

 <form method="post" action="http://yoursite/index.php"> <input type="text" name="authorization" value="1" /><input type="submit"> </form>

Then the user saves it as .html on his computer, opens in his browser. Then submits the form.

+4

Ahmet Alp Balkan Jul 28 '11 at 19:01

source share

Two ways, make a curl request or actually set the post variable on top of php. For instance:

 $_POST['var'] = "WHAT I WANT";

+3

NoviceCoding Jul 28 '11 at 19:02

source share

You can use cURL in PHP for POST like this:

 $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_setopt($ch,CURLOPT_POST, 1); curl_exec($ch); curl_close($ch);

+2

DSchultz Jul 28 '11 at 19:03

source share

The superglobal variable $ _POST is populated from the query string, which is contained in the body of the HTTP POST request. Since the user / client is the one who initiates HTTP requests (POST and others) to the HTTP server, then yes - the client can "fake" the values and keys of the $ _POST array. Cm:

+2

Dor Jul 28 '11 at 19:04

source share

This is an old POST, but thought it would add something for future developers.

On any page where HTML is located. Do it first.

 <?php session_start(); /** Generate some random numbers */ $wipit = rand(0,999999999); /** Store the WIPIT Generators value in the SESSSION */ $_SESSION["WIPIT"] = $wipit; ?>

And do it on any page where you are performing a POSTING check and other things.

 <?php session_start(); /** Check for the REQUEST TYPE and SESSION WIPIT */ if( isset( $_SERVER['REQUEST_METHOD']) == "POST" and isset($_SESSION["WIPIT"]) and !empty($_SESSION["WIPIT"]) ){ /* Rest of your code goes here... */ } ?>

0

Navneil naicker May 26 '14 at 4:14

source share

... yes, the user can "fake" the message (whatever that means). Try change data for size.

-1

Chris eberle Jul 28 '11 at 19:01

source share

If your website doesn’t have the problem of not completely screening all the text, this is an XSS weakness that a third-party organization can use by entering a page on the (javascript -) script page that can use AJAX to send email requests with cookies users and privileges, with the least effect being that it can, for example, exit the system.

-1

Adder May 10, '13 at 14:32

source share

Marc b · Accepted Answer · 2011-07-28T19:01:00+0000

A user can simply create a file on his local machine with:

 <form action="http://yoursite.com/login.php" method="post"> <input type="text" name="username" value="hahaha faked it!" /> <input type="text" name="password" value="hee hee you can't tell this is fake" /> <input type="submit"> </form>

and boom, "fake" post. In other words, you should assume that everything the user sends is potentially fake.

Fake $ _POST via PHP

More articles: