[nycphp-talk] form spoofing
Alvaro P.
apg88zx at gmail.com
Tue May 1 13:33:35 EDT 2007
I had the same problem, I used a random session variable, but they still
got through.
I devised a way of avoiding several types of spam bots with some scripts
I made.
First of all, the form has no action="" when it is loaded, and therefore
the simplest spam bots won't know where to send the information to.
When the form is submitted, javascript validates it, if it is valid, it
generates a random variable with a random number in it, they are related
by a simple mathematical formula I made up.
This variable is sent to a php script using the xmlhttpPost() function.
The php script then checks to see if this variable matches it's criteria.
Once it is checked, it generates the actual form processing script from
a pre-made template and saves it with a random name.
The name of the new form processor is then sent back to the actual form
which then sets the action="" and finally submits the form.
The neat thing about it is that I can set an 'expiration' date on the
randomly named form processors, that way, if the spammer figures out the
name of the file, he can only use it for 30 seconds after it is created.
Old files are deleted when new ones are created.
This is all pretty invisible to the end user, who now doesn't have to
fill out annoying CAPTCHA fields, the only downside is that it requires
javascript.
The form processor can be any php script, it is read by the main script,
and then re-saved with the random name and timeout added at the top.
I have all the files if you want to try it out.
Alvaro
Michael Southwell wrote:
> I thought I was following best practices (
> http://www.nyphp.org/phundamentals/spoofed_submission.php ) in
> creating a comment form for a restaurant client (There is no security
> issue here; the comments are emailed):
>
> I stored a random token in the session:
>
> session_start();
> if ( ! isset( $_SESSION['secret'] ) ) $_SESSION['secret'] = uniqid(
> rand(), TRUE );
>
> I hid that token in the form:
>
> <form action="comments.php" method="post" onSubmit="return
> checkForm(this)">
> <input type="hidden" name="secret" value="<?= $_SESSION['secret'] ?>" />
>
> Upon submission, I checked for the token:
>
> if ( $_POST['secret'] !== $_SESSION['secret'] ) die( 'invalid form
> submission' );
>
> But I still got obvious spoofed submissions, not very many of them,
> and all vapid and often nonsensical (a sample: "I consider that beside
> Your site there is future!"), but still maddening. So I added a
> five-minute timeout:
>
> if ( ! isset( $_SESSION['timeout'] ) ) {
> $timeout = time() + 5 * 60;
> $_SESSION['timeout'] = $timeout;
> }
>
> and checked for that as well:
>
> $now = time();
> if ( $_POST['secret'] !== $_SESSION['secret'] || $now >
> $_SESSION['timeout'] ) die( 'invalid form submission' );
>
> But this hasn't helped much; I still get a few of them, though I can't
> figure out how they can be generated. Any advice?
>
>
> Michael Southwell, Vice President for Education
> New York PHP
> http://www.nyphp.com/training - In-depth PHP Training Courses
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
More information about the talk
mailing list