Posted by: fudanchii | March 17, 2009

securing html form

Why we have to make sure our html form is secure?? ‘cuz we don’t want someone doing something silly to our website, avoiding cross site scripting and negate injection or hijacking…
well, I guess there’s a lot of method to prevent those things… mm, and I found mine…
dunno if someone already come up with the same method… I don’t do any research on this…
so I won’t claim anything about the method… and I hope no one do something retard like claiming this method as their…
Oh, and I think this method is old… not too smart… and might be easy to get hacked…

So, the problem is :
1. our server side (PHP) need to know whether the data posted from client is provided by our form.
2. we don’t want the same data flooding our database. so make sure client not post it more than once, even if it an accident.
3. we don’t want some silly clients track down the form id, and try to hijack them…

And my basic concept is :
Use form identification, give random id to any form and keep it on session variable. Every valid submission, give another random id… and so on…
the id itself have to be secured…
so I’m using md5 and very-very simple salting method to create pseudo-random hash variable.

Proof of concept :
generate pseudo-random hash

function form_auth($randomtext) {
$pad = $randomtext.(double)microtime();
return md5($pad);
}

using it on our form

//validating form id
if (($_SESSION['sessionkey'] === $_POST['au_secret']) && !empty($_SESSION['sessionkey'])) {
//form is valid process data here...
}
if (!isset($_SESSION['sessionkey'])) {
$_SESSION['sessionkey'] = form_auth("adduser"); //generate form id here
}
echo '..your form here...
<input type="hidden" name="au_secret" id="au_secret" value="'.$_SESSION['sessionkey'].'">
...form continue...';

give it a try and just hope no one would brute force the sessionkey :p
any suggestion welcomed…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: