Remote form submission is way of submitting HTML forms from local to a particular remote server. This is used by many advertisers, spammers or even hackers to submit bad data to other websites in order to get what they want. They can write some automation scripts to help them do spamming.
How can people do remote form submission and how to prevent this kind of attacks?
Since a website can be accessed by almost every one, so one can save a local copy of a HTML form of a website through File->Save as on the browser. Then they only need to modify the action attribute of the form, instead of the relative path such as register.php, they can use http://wwww.site.com/register.php(If this is the registration page on the website), and next they can do any other changes to the form to submit the data they want. Finally they click the Submit button and these data will be submitted to http://www.site.com. This completes the remote form submission.
To prevent this kind of submission, we can check $_SERVER["HTTP_REFERER"] to see whether the request is from the original server. This method can block most of the malicious submissions. However, for some smart hackers, they can modify the request header and fake the referrer information so that the server will think it's from itself.
The better solution is generating a token using an unique string or timestamp and sending the token to the client. After the form is submitted, the server will check whether the token on the server is the same as the token from client. If it's the same, it means the request is from original server, otherwise, it will stop processing the form submission request.
For example:
<?php
session_start();
if ($_POST['submit'] == "go"){
//check token
if ($_POST['token'] == $_SESSION['token']){
//strip_tags
$name = strip_tags($_POST['name']);
$name = substr($name,0,40);
//clean out any potential hexadecimal characters
$name = cleanHex($name);
//continue processing....
}else{
//stop all processing! remote form posting attempt!
}
}
$token = md5(uniqid(rand(), true));
$_SESSION['token']= $token;
function cleanHex($input){
$clean = preg_replace("![\][xX]([A-Fa-f0-9]{1,3})!", "",$input);
return $clean;
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p><label for="name">Name</label>
<input type="text" name="name" id="name" size="20" maxlength="40"/></p>
<input type="hidden" name="token" value="<?php echo $token;?>"/>
<p><input type="submit" name="submit" value="go"/></p>
</form>
This solution is feasible because PHP session cannot be transferred between servers, even someone gets your source code, the session data will not be transferred.
