Thanks for another wonderful tuts!

Another great article from nettuts!

I’m so much addicted to your site Jeff, your site is great. hope someday theres a smarty tutorial here. thanks

great tutorial, really awesome and helpful

“This website will be able to send POST data to your website — for example, with AJAX” – how, exactly? I’m pretty sure the same-domain-policy would forbid this.

This is so great to see so much about php security here! People talk about how “easy” php is to learn, but many fail to focus on securing their site properly. There can not be too many articles on this IMO. Nice job Wouter.

A great post to increase my form security. I think its interesting because I have recently been examining my security processes.

Thank you for an explanation of a nice clean way to handle this. Very helpful.

I can’t understand where is the security point, sorry.
Why attackers couldn’t read generated HTML code for form, copy the key value, and send it from another server with all the other variables on a POST?

I always have “No errors” message, even if I refresh the site :/

Awesome Tutorial! Would be great to get more tutorials on Secuirty!

This is great stuff for a php newbie like me. Very much appreciated.
cheers

Awesome post Jeff. This will come in handy one day.

One question I have though, does anyone know if Wordpress is using some kind of secure form publishing technique for their log-in forms? I would think that they are, but can’t seem to find where it would be doing it at. Thanks for the heads up in advance!

great tutorial…

one small typo – in the Full Code section you have fomrkey.class.php – it should be formkey.class.php

Again… GREAT STUFF… look forward to your future posts

This is a great write up. Thanks. It’s going to be a great help with some of the projects I’m currently working on.

Great post, but one warning. You’ll run into problems if you use a user’s ip address to uniquely identify them. When a user’s request originates behind a corporate proxy or a proxy farm, their ip address is sure to change between requests (thus their token).

This technique is fine for simple forms, but if you were to roll this out into a large registration system, you’d be hitting your head against the wall trying to find out why 5% of your user’s cannot use your application.

Great tutorial Wouter! ( Goede tutorial! )

Thank you! i enjoy this one

Thanks for your great responses!

@James
“This website will be able to send POST data to your website — for example, with AJAX”

It is possible if you use iframes and send POST data with AJAX to the iframe. (I read an article about it, not tested it myself)

Nice!!! Thank u!! Great Stuff

Good tutorial on defending against some cross site request forgery (CSRF) attacks. Chris Shifflet wrote about this back in 2004 here: http://shiflett.org/articles/cross-site-request-forgeries

For the “form key” – aka “nonce” or “number used once” – a random string works just as well as anything else you can hash (hash, not encrypt!) together with md5(). The important points are that the value is unique and non-predictable.

You should also consider checking IP address and user agent strings to see if they have changed from previous requests. This isn’t foolproof as these values can change anyway, but taken together they can mark a request as “suspicious” and prompt a graduated response from your application if the form is sensitive. For example, you can re-ask for the user’s password or CAPTCHA.

Great tuts, your post is very interesting I think I should use your method in my on going project security in e-commerce websites is the most important thing.

Thanks!

Well, you say it is ‘not wanted’ being able to post from other sites with functions like curl, but if you just have good validations and filtering on all the values, what can go wrong then?

Can’t seem to edit my last post.

But even with this method you can’t be secure from ‘posting from another script’. Because you could get all the values needed via Zend_Http_Client, read that out, and repost those (and own) values via Zend_Http_Client back, and your script wouldn’t know the difference.

The result is NOT a valid XHTML !
Its just wrong.

Nice tutorial now all we need is to extend the class to eiminate non-human form fillers! We get lots of bots and other than adding a capatcha type test it’s tough to avoid automated form submissions.

Great tip, alot of frameworks do this for your like, Rails or Django. Not sure in the PHP world.

Great tutorial, easy to understand and not so much code.
I don’t have so much knowledge on security issues but these seems inspiring
Thanks

Well written tutorial Wouter. Easy to follow.

Nice work, this is very helpful.

One thing I noticed is that:

if($_SERVER['REQUEST_METHOD'] == ‘post’) {

needs to be:

if($_SERVER['REQUEST_METHOD'] == ‘POST’) {

This may be our server setup or a genic thing i’m not sure as I user
‘ method=”post” ‘ in my form tag

Already do it. Thanks, keeping going!

Great tutorial! A short question.. would this solution work with two (protected) forms on the same page?

For years I have used ASP. Over the past few months of reading Nettuts, I think I’m finding PHP to be much easier and more available code and information. Is there more information and users coding with PHP, over ASP and others?

Thanks

I thought the tutorial was well written and easy to follow. Good use of OO concepts and a very great security layer to implement.

This article is nice and really shows what popular CMS do nowadys to secure their forms.
But in fact this measure of security is just to protect your form against real cheapstakes.
You can’t kill a real cURL form spoofer with this one, cause cURL is capable of sending and parsing cookies.
Infact you have two do 2 requests with cURL, but if you really want to do this it is not much of a problem.

A better way would be using captures or generate the form-key via Ajax and put it in the value field.
cURL is not capable of rendering JS, so if mystify your JS code so much that is is to hard to read no one will be willing to hijack the form.

This method actually helps you against CSRF, but I dont get the point how it helps against XSS flaws. By the way: If your site has XSS holes you dont need to secure you against CSRF, because then these protections are pretty pointless because you could grab the generated hash via javascript

Useful info.

Very nice tutorial.

I think it would be nice to have a series of tutorials showing the basics of how certain exploits work, and how to counter them. Just a thought.

I have found that with a single key preserved for verification of the key held in the form is not enough in the event of a redirect, where you submit a form and redirect to a new page and you still require to validate a key.

In such a situ your key won’t validate, so what I do is to keep the last three generated keys in an array instead, and compare a key coming in from a form submission, against those three held in the array.

This works better and it doesn’t impede any security measures.

> because you could grab the generated hash via javascript

Doesn’t matter, and that is the point really…

No matter what you do with it on the client side, if it ain’t on the server side your goose is well cooked; this approach is basically to prevent a) automated machines taking advantage, and b) to prevent a previously saved page on someone’s desktop being used instead of the live page, for two examples.

If you are going to make a wide, sweeping statement such as this, at least know a bit more about what you are talking about aye?

I can see problems with tabbed browsing: imagine a user needs to use a form (not a login form obviously) multiple times and opens it in multiple tabs.
Only the last form will be submitted successfully, and only if the user submits it first.

So you are assuming here that the user will use your site the way you intended, which is not that realistic.

Solutions:
* Store last N keys instead of just 1
* Encrypt the request time + a session specific value and use that value as a key. On submit, decrypt the key and check the difference between request time and current time.

Hi

May I know how different is this approach from the captcha?

with captcha the generate code / key is checked with the user input. Here instead of the user input, we have it in the hidden element.

Please correct if I’m wrong.

I don’t see why you should make a class for this? The workhorses of the code are the formfield and the session key/value pair. So all you have to do is create the formkey, add it to the session and a hidden input field.

Most of the class code just restricts developers.

Usually I don’t comment, but this is a really wonderful high quality tut. Wonderful job! More php tuts about security would be wonderful.

This is an excellent turtorial, perhaps one of the most pertinent I have read on form security. Thank you!

Hey Thomas Milburn and K.N, why do you write a better tutorial on security since you guys seems to be very knowledgeable.

This tutorial covers the basic security concerns for newbies but you keep bashing on the author, i mean everybody has the right to raise their opinions but at least be cool enough to provide better information if you feel that this tutorial is missing something, just my 2 cents.

Cool tutorial by the way.

synchronized token pattern. i love this site. thank you

Look at this form http://www.romancortes.com/contact/ I just love it, this is Roman Cortes the ‘Homer CSS’ Author

Good

Good tutorial . That’s an easy way that I’ve already used in two projects to not use captcha’s.

Hi I want to see a scrrencasts of how to create a login form using facebox?

Why did you use visibility scopes for all functions except the constructor?

Simply awesome! thank you v. much!

I was looking for something like this the other day! Glad I found it!!!

- Greg

Terrible captcha, so hackable. How about a tutorial on how to implement a re-captcha? Or at least something isn’t just unobfacusated text on a plain background.

Nice! Thank you. Gonna use it in my control panel.

I still don’t get a idea, why a hacker could not read the HTML source which already has your generated unique key and then submit it with all other form values?

Just curious not convinced!

Is the aim to make sure that the POST data is coming from your site and not from some script on another server?

This method also could apply to making images also enforced to your site only and deny hotlinking BUT…..

Wouldn’t also a Captcha prevent massive submits?

Additionally, maybe I missed it but since you output a “hidden” field with the value in it, would I not be able to use CURL get the form from you site, read in the hidden value, and re submit?

Again I think a good captcha would be 1000 x more effective.

As someone said numerous times before here, use recaptcha or something similar. This method here is more work and not safer.

I like the tutorial, great job! As a fellow dutch programmer I think its great to see some good php tutorials from the Netherlands!

One thing I’d like to comment on is leaving action empty. Certain browsers (including Google’s chrome) use the base href or domain name as action address when you do not provide one. This can cause you to miss out on important business leads at a contact form for example.

Keep up the good work!

I’ll be implementing this from now, it makes me feel stupid not knowing about if beforehand though, haha.

Good tut but using plain md5 is considered vulnerable these days. Recommendations are using sha256 or combination of hash algorithms(md5+hmac) instead.

There is an error
index.php, 12 line
if($_SERVER['REQUEST_METHOD'] == ‘post’)

it must be
if($_SERVER['REQUEST_METHOD'] == ‘POST’)

Thanks very helpgiuful article…

This is not good for XSS or CSRF, since i can view the html in the broswer create the same page and submit it or use telnet.

here is what u need to know http://phpsec.org/projects/guide/

The corner stone of web security is filtering all user input u get from the user especially when your client is interacting with a database database or you allow your client to post links which other users can click on.

a quick note:

(Problem – Counter measure)

Spoofed Form Submissions/XSS/CSRF/Spoofed HTTP Requests – 1. Filter data from users (using regular expression, htmlentities, etc).

Exposed Access Credentials – 1. use .htaccess files if you are not using a dedicated server other wise edit your php.ini file to allow/deny access to intended folders

SQL Injection – 1. prepared SQL statements 2. mysql_real_escape_string() function 3. filter data from form thus data that will be placed in SQL statements)

Session Hijacking/Session Fixation – 1. disable PHPSESSID in URLs 2. regenerate session id when user access level changes (after logging into website)

quick note:

1. If you are saving a session id it should also be placed in a database preferably.

2. When storing a user table for logging into web apps password hashing should be used rather than having plain-text passwords exposed.

http://phpsec.org/articles/2005/password-hashing.html

In step 2, you briefly mention that a singlton form key would be the best thing to do since each page can have only one key. That isn’t a singleton at all. If one would turn that class into a true singleton, you would never be able to generate more than 1 form key. So every form would have to use the same key. If you want to be able to have a different key per page/form you would be better with some sort od factory class that would be responsible for handing out the right key to the right page/form as well as lifetime managent. You would probably want keys that have been issued to expire with sessions or possibly time intervals.

Just some thoughts anyway.

Really nice tutorial!

hmm, im wondering if this helps…

if you can post data via ajax, you can also get data via ajax.
if you get the form via ajax then you have the formKey and you can do a post with this formKey… in my opinion this only helps to prevent simple XSS attacks, but if someone wants to – he can..

Thanks man, that’s so helpful, right now I’m working in a website and it’s neccessary to improve the security. That helps a lot and I liked the tutorial, keep on so…

I learn from the tutorials and the comments. Keep those criticism coming. This is the wild wild web.

About more PHP security check this website: http://shiflett.org/articles
Articles there are amazing

I used Zend Captcha and Zend Session in securing all my forms. Zend Captcha generates an alphanumeric string, I put the value in a session captcha using Zend Session and put the the value in a hidden captcha field in all my forms.

Once the form is submitted, I validate the hidden POST captcha by comparing it to the captcha session value. If match I process the transaction, if not I put an error message. Once this validation is done, I destroyed the session captcha and generate a new one. In this way the hidden captcha value cannot be used again.

great tuts..
& great comments too!
good job Wouter!

thanks. very good tutorial.

this is really helpful. thanks for sharing.

Excellent tutorial for creating secure php forms, Thanks for sharing.

Nice tutorials

thanks, I’ve learned something new.

if($_POST['form_key'] == $this->old_formKey)

If both the session and post variable are empty, they’re also equal. So if you’re attacking the form you simply omit the post variable.

How can I get it in PDF

How can I get the lattest version of PHP Tutorial in PDF

The improved solution is to generate field key name (i.e not only hidden field value but hidden field name) also and holds it in the session.

Congratulation and thanks for sharing