0

How do I ensure that the attacker or spammer do not attempt to sent data from http://localhost computer? I am developing Flex/flash application which would then submit the data to PHP. I know they have the ability to decompile actionscript, would the HTTP_REFERER help?

Improve this question

5 Answers 5

Reset to default
1

Not all browsers supply HTTP_REFERER and it can easily be spoofed, so it will not secure your form.

The best thing you can do, and really the only thing you can do, is to make sure that your PHP code does not trust any input. You should check that any values submitted to your form are within an acceptable range of values, double check login information if appropriate, etc.

If you're worried about bots, use recaptcha or limit the number of submissions for any IP address to 3 a minute (as an example - choose an appropriate speed for your situation).

In short: you can NEVER be certain where a form submission originated. You must be prepared to deal with submissions from attackers.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If you did all that, what are you worried about? What kind of attack do you think you might be vulnerable to?
0

You could use referrer, but even that could be spoofed. If it was me I would sha1() some random string or something in your flash and pass that with your form, then you could sha1() on the php side and check them.

Perhaps you could even make it something dynamic, like

sha1(date('Y-m-d')."MySaltPhrase");
Improve this answer

4 Comments

if someone decompile flash, then can it still be spoof?
Yes, it can be found. A valid value can also be found by looking at the network traffic. In this example, a spammer would need to submit the form once manually to find the magic key, and then could use that key for the rest of the day in their script.
Yes, well you could replace it with something more dynamic as I mentioned, if you wrote a custom algorithm or something. But you would need the same in both Flash and PHP. Then you could change the key on each submit :)
I suppose if anything you could use PGP encryption and then decrypt stuff in PHP using your private key.
0

parse_url() combined with string manipulation should work. Try this:

$url = parse_url($_SERVER['HTTP_REFERER']);
$host = implode('.',array_slice(explode('.',$url['host']),-2));

if (strtolower($host) == 'google.com') {
// code......
}
Improve this answer

2 Comments

HTTP_REFERER can be set manually, so your solution is not watertight.
@Deefjuh: Then? What is your solution?
0

use CAPTCHA for verification. you can't tell if the source or referrer is the localhost or a public IP address when a form is submitted. the localhost you'll see is your own.

Improve this answer

Comments

0

the answer is simple - you cannot.
because every form actually being sent from user's local computer. that's HTML thing and you'd better understand that. will save you ton of time.

in general you don't need any protection at all. but for some particular cases protection tactics will be different

  • to prevent spam use a CAPTCHA
  • to prevent CSRF use unique token, stored both in the session and form's hidden field
  • add your own particular task here to get a particular protection method. from what attack you want to defend?
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.