How to prevent POST from outside the server?

Question

How to prevent POST from outside the server?

Navigation

#1 by (4 votes)
#2 by (1 votes)

4

I'm creating an application and I did not want some smart guy to think about changing the path of a POST html to send the values he wants, so I used a method in PHP:

        $referral=$_SERVER['HTTP_REFERER']; 
        $origin="https://google.com.br"; 
        $origin2="https://sitepermitido.com/arquivodeorigem.php";
        $refervalid=0; 
            // Testa se o formulário foi submetido da página original
            if($referral==$origin2) $refervalid=1; 
                if((!$refervalid)){
                // dados enviado de servidor externo?                       
                    echo "Acesso negado"; 
                    exit; 
                }

But I've seen a lot of people saying that this is unsafe, that someone can simply "simulate" a refer with curl or something. Then I saw a guy on the net ordering .htacess , like this:

<Directory /home/sportfacil/public_html/pastadaaplicação>
   Options Indexes FollowSymLinks
   AllowOverride All
   Order deny,allow

   Deny from all
   Allow from 127.0.0.1
   Allow from localhost
   Allow from ::1
</Directory>

But this returns me erro 500 , I tried several other methods in .htacess but it ends up blocking everything, even the internal page submits the form.

Is there any more effective way to prevent an external% of%?

php htaccess

asked by anonymous 12.04.2015 / 10:12

2 answers

1

But will the form data be sent to your own server or to a third-party server? If it is for your own server, I think what you can do is establish accepted value rules when you get the data on the server and return an error if the data is not within the rules. If it is for a third party server, it would have to see if it could not send to your server and then send it to the destination server (validation, as the top colleague said).

12.04.2015 / 15:39

What is the difference between $ var and $$ var? Concatenate table name loop sql server

score 4 · Accepted Answer

At least it was funny to see how people post such big crap on the internet. When it does, you cite the source.

This code blocks your internal access, not anyone else's access. You are localhost , not the external user. No external user communicates with you with localhost , if it were, everyone would be localhost and there would be no differentiation between users accessing.

Forget, you have no control over what others do on their computers. Any attempt to protect yourself from something external will cause more confusion. The only safety you can give is to correctly validate everything that comes from outside. This depends on each case but you can not validate intent, just the data received.

There is no effective way to prevent the sending of data in the way that the user wants, effectively is to ensure that all aspects of the data received are in accordance with what you want.

You can not know where the information comes from, it is always disguised. Even IP can be faked if anyone who does this does not want to receive a response from your server.

I recommend you remove the "security" you use today. She is better because she tries to validate the information. But it is creating a problem that you do not see. You are blocking some legitimate access. When doing software it is more important to test what does not work. Testing is difficult because you do not always know everything that needs to be tested. By making an analogy, in this case you are trying to find out if the person's name is spelled correctly. It is impossible to know, it is a problem of the person and not their knowing what is correct.

It strikes me that even here everyone, including me, presents simplified, naive solutions without extensive testing, which probably the people who did, if they are aware, would not use their codes without a deeper analysis, but who reads leaves using it as if the solution were perfect.

Programming is difficult, there are many variants that need to be analyzed, without understanding the whole foundation problem, especially security, will occur in the hills.

Today there are campaigns to introduce new programmers into the industry. They have two objectives: 1) to create consumers for programming tools, no matter what results happen, including because wrong programming also makes the industry move; 2) find quality in quantity, after all there is hope that all new programmers will try to understand the fundamentals and all the aspects needed.

Then question everything you read on the internet, even what you read here. Here we have people validating the answers but it is common for people to have a low critical sense and this validation does not always occur as it should. People have a tendency to want to please more than do the right thing and everyone gets hurt by it. We can call this professional populism. They want to create an appearance of being helpful.

Here is still the place most likely to get a more consistent response and develop, but I still recommend studying protocols, using a packet analyzer to see how data is trafficked, trying to forge the data of all the shapes. This can not be done for you. Whenever you find a problem and do not know how to solve it, you should look for reliable and verifiable (plural) sources.