Forms on Multiple Domains Submit to Same PHP Process Page

  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

We have a small form on several of our sites. All of our sites are on the same private server. I want all the forms to start using the same php script to process the POST variables, but I'm not sure the best way to set it up.

Do I just pick one of the sites to host the php script? Like www.site1.com/process.php. For instance, my form on www.site2.com/form will have action="http://www.site1.com/process.php"?

Or is there a better way to host the process script for each form with them all on the same server?

Lastly, what's the best way to ensure the POST is coming from my server? I read HTTP_Referer is unreliable. So, in process.php what should I check for. There seems to be several methods on this type of security.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9089
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

I am gathering the reason that you want to use a single script is so that you can update and maintain one script versus having to keep each on updated on each website. If I am wrong please let me know. If that is the case you could simply pick a site and use it there, or another idea is that you could put the script in a single spot on your server and symlink to that script from all of your websites directories where you would want it so that they each would be using the script, yet you can just configure and update it once wherever you have it really located.

As far as ensuring the POST is coming from your server or one of your sites, there is no way you can 100% ensure that, but there are many things you can do to help. The first you already mentioned and that is the HTTP_REFERER variable. It is unreliable, but you can still use that to cut down on some traffic that does show it loading from another site that is not authorized by you. If you think another website might try to link to that script directly another thing you can do is create a hidden field in your form that creates a md5 value of a secret salt stored in your database combined with another dynamic value such as the user's ip address or session id. Then when the request comes through you can use this hidden variable to match against their IP address to make sure the same IP address that loaded the form is the one that is submitting it. This prevents another website from submitting a form through your website because there is no way they could guess your hidden variable unless the external website loaded your form, extracted the hidden variable and then submitted the form themselves since they would have to use their IP and not the users. So it does prevent users from submitting your forms from an external website not run by you.
  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

Exactly. We will use the same form structure over and over so I just wanted an easier way to handle the storage.

Thank you, I also read about the md5 hidden field but I didn't understand it, but your description cleared it up. I think most people were salting the md5 hidden variable but not mentioning that it would need to be coupled with the user's ip address. Makes more sense to me.
  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

I have my for doing as described but this morning we got someone submitting the form over and over with bogus info.

All all the submissions the firstname and lastname were identical and the phone and zip contained letters like KmVOmWFG. The first and last name could be real names or bogus like David David or Evomuss Evomuss. The IP jumps around the world on every submission.

I added some additional handling in my processing php script to check if the first and last name matched and to check if there were any letters in the phone or zip, but INSERTs into the DB still occurred.

The db user the script uses only has INSERT rights because we just take the info and submit it to the db. I made another db user and changed my script to use it and the INSERTs stopped.

Any ideas of how they are doing this? I'm not sure how they are using remote db access cause it's only allowable by IP because they would either need a script loaded on the server or remote db access, correct?

Can someone help me with what I should be looking for or keeping an eye out for? I'm still not sure either way my logic to catch matching information failed unless it was not using my script??

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 171 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.