Samuel Sjöberg's weblog

Skip to navigation

Verification of vForm rules

In a comment in the original vForm entry I was notified of the problem with form spoofing. If someone would make their own form and post to my page the validation would be bypassed and malicious data could be written to my database.

My first idea about how to solve the problem was to store a hash of the rules and the compare this hash to the incoming rules. The problem with this approach is that the incoming rules (POST) can look different depending on what has been posted. E.g. if you have a max(3) rule and no checkboxes are selected, then this rule will be missing in the POST.

Next in line was XML parsing. My one objective against this approach is that vForm was first created as an alternative towards methods that parse a form to extract rules hidden in custom attributes. To quote myself:

Since I didn't wanted to dive into the DOM for some custom tag values I got to the conclusion that the name attribute was my best option.

Even though vForm loses some of its finesse I chose to use a SAX parser to verify that the posted rules are indeed the ones written in the form.

I have added a new method which is called verifyRules(). It takes two arguments; first an URL pointing to the webpage with the rules (form) and second the address written in the action attribute of the form.

The function opens the page, with fopen if allowed, otherwise fsockopen is used. If a socket must be used the function might be a bit slow.

The XML parser then walks through the file and find the correct form. When the form is found, every tag which has a name that corresponds to a index in the POST or GET array, is saved. When the rules has been collected from the files they are hashed and compared to the rules in the POST or GET array.

The verification must be called explicitly is you want to use it, and if so, call it before you actually validate the form...

Example

Here is an example where the form is located at the address mydomain.com/form.php and the action attribute has the value form.php.

include('vform.class.php');
// Rule verification
if (!$vform->verifyRules('http://mydomain.com/form.php', 
      'form.php')) {
   die ('Invalid rules');
}
 
// Form data validation
if (!$vform->isValid()) {
   echo $vform->getErrorList();
}

Source

The demonstration page has been updated with this new functionality and I have also added a form which tries to bypass the rules.

Reader comments

  1. Thanks for the code! I hope to soon include it in bMail, a GPL'd newsletter project. Anyway, as I was sorting through the code I noticed:

    echo ini_get('allow_url_fopen');

    on line 120 of the vfrom class. Shouldn't this be removed?

    30th November 2005, 23:46 CET. 

Pages linking to this entry

Pingback is enabled on all archived entries. Read more about pingback in the Pingback 1.0 Specification.

About this post

Created 4th April 2005 14:42 CET. Filed under PHP.

1 Comment
0 Pingbacks