Tokens in PHP- FAO Rob

Bes

Bes

Bes

Soldato
Joined
18 Oct 2002
Posts
7,318
Location
Melbourne
Rob's security guide has this code for tokens:

Code: 
<?php

session_start();

if( !empty($_POST['post_id'] ) {
    if( !user->is_a_moderator )
        die;
    if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
        die;

    // All fine: delete the post.
    delete_post( intval($_POST['post_id']) );

    // Unset the token, so that it cannot be used again.
    unset($_SESSION['token']);
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

?>

<form method="post">

<p>Post ID to delete:</p>
<p><input type="text" name="post_id" /></p>

<input type="hidden" name="token" value="<?php echo $token; ?>" />

</form>

What stops a 'baddie' from simply viewing the HTML code before submitting their 'fake' form and creating a form field based on the contents of the hidden token field?

Thanks
 
Ok but that is easy- all I need to do is load the form, get hold of the token, then plug that into my own form and submit it- because the session was generated by PHP on the server and I am sending the same key (which I can see by viewing the page source) that is held in the session, I can't see that this provides much security at all if one is determined.
 
Ok so what is to stop a user making their own form and substituting a radio button for a text field and sending "Badcode" to my form when the options I have allowed are "blue" and "red"? Is the only way to sanitize everything and hope for the best? or can I actively stop submissions from forms that are not on my site?
 
You must log in or register to reply here.
Back
Top Bottom