|
|
|
|
Like this code?
Show the author your appreciation.
|
|
| |
HTML forms on a PHP-enabled website can at times be tricky to secure.
Many people use a CAPTCHA type method to secure forms, however there may be times when having an Auth-Image is not acceptable.
i.e.: an article rating form.
The below will effectivly block form submission that are faked and not from your website.
Read after function for example usage.
(this will not protect against bots or anything that accesses your form directly from your website.)
this is not meant to be a stand-alone form security measure.
this is intended to be used alongside other form validations
|
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/**
/** WRITTEN BY:
/** JOE F. (OWNER/DEVELOPER OF BASHMYEX.COM)
/** Free to use for any purpose as long as the
/** proper credits are given to the original author.
*
*
* auth_token - create auth token session value on forms
* if session value does not match form value we know form
* was incorrectly accessed and we can deny the attempt
*
* @param string $pre - generates random secure_check string for hidden field on form
* once value created on form
* turn value into a session to be later compared
* @param string $after - compares session value to form value for above string
* if form string does not match session string then we can
* safely assume the submit page was accessed from an external
* website attempt at copying form and we then deny access
*
* we also check if there is no value set. which would happen
* if submit page was directly accessed or submit was made without
* proper access to begin with.
* empty access is controlled by below function
* empty_check($bash_form=TRUE)
*
* @global $token - used in form hidden field: <input name='securecheck' type='hidden' value='$token' />
* @global $messages - grabs message from our lang.php file
*
*/
function bme_auth_token($pre, $after){
global $bme_token;
$deny_message = "ERROR!";
if($pre == '1')
{
$bme_token = sha1(uniqid(rand(), true));
$_SESSION['bme_token'] = $bme_token;
$_SESSION['bme_token_timestamp'] = time();
return $bme_token;
}
if($after)
{
$correct_value = $_SESSION['bme_token'];
$user_value = $_POST['bme_securecheck'];
if ($correct_value == $user_value)
{
unset($correct_value);
unset($user_value);
} else {
echo $deny_message;
exit;
}
}
} | |
Usage example would be:
form.php --
| $bme_form_secure = bme_auth_token($pre=1, $after=0)
echo"
<form name='bme_article_form' method='post' action=''>
//NOTICE THE PROPER NAME FOR THE SECURE CHECK SECTION!
//FIELD NAME MUST BE: securecheck
<input name='securecheck' type='hidden' value='{$bme_form_secure}' />
<textarea cols='30' rows='5'
<input name='submit' type='submit' id='submit' value='submit' /> name='something' id='something'></textarea> | |
form submission page:
//check for proper form value:
//will auto-check if the form value for
//SECURECHECK matches the session generated value
//when form was first accessed
bme_auth_token($pre=0, $after=1)
//if correct, then rest of code below this works.
//if not correct then the error message will be displayed and script stops |
|
| Authenticator for Exchange Server LDAP Categories : PHP, Authentication, LDAP, Security, Sessions | | | A simple PHP login script that you can modify to suite your needs. It use a session to store data in a session file submited by the page. Categories : PHP, Sessions, Security, Authentication | | | Using Postgres and PHP3 Authentication from a Web application Categories : PostgreSQL, HTML and PHP, Authentication, PHP | | | AITSH Statistics Categories : Complete Programs, Databases, HTML and PHP, Sessions, PHP | | | A damaged image generator (class) for validating text.
CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart Categories : PHP, PHP Classes, Security, GD image library, Security | | | Use of bitmasks to represent permissions Categories : PHP, Authentication, Bitwise Operators, Security, PHP Classes | | | phpSecurePages is a PHP module to secures pages with a loginname and
password. It handles multiple user groups (each has own viewing rights),
store data in a MySQL database or a configuration file, and can be used to
identify Web site viewers. Categories : PHP, Security, Authentication | | | A login page that require username, password and userlevel. Categories : PHP, Security, Sessions, MySQL, Databases | | | PHP4 session helper HTML file.
Categories : PHP, Java Script, HTML and PHP, Sessions | | | Simple Password example Categories : PHP, Authentication, Security, HTTP | | | XDT Topsite (Gold v1.0) Categories : Databases, CSS, PHP, HTML and PHP, Sessions | | | MD5 secured login Categories : PHP, Java Script, Authentication, Security | | | session out Timer Categories : PHP, Sessions, Security, Beginner Guides | | | PHP Function to Encrypt/Decrypt a string without a known key. The string itself has his own different key for every character. Categories : PHP, Algorithms, Security, Authentication, Encryption | | | Password using php, Javascript, and html form Categories : Security, PHP, Authentication, Java Script | |
|
|