0
Next, I have a contact form on one page, and I would like it to only work within the page itself, and not for third parties to be able to submit POST requests for malicious programs or ETC, something like a "lock" so that on that page some verification code would be generated, how can I do that?
Simple structure:
<form method="post">
<input type="text" name="teste" />
</form>
I think I understand the idea, but how would it be in practice?
– Thiago
search in google "php captcha"
– Daniel Omine
In ASP.NET MVC there is a concept of "anti-forgery token" which is Cross-Site Request Forgery (CSRF). I googled "anti-forgery PHP token" and found this: http://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php this is a kind of hash that you add in the session when you submit the form and validate in the post. Look for these concepts you’ll get.
– user26552
@Miguel this right there you said is very flawed. You can submit the "YOO". Just the guy analyze the HTML source of the browser that will discover this.
– user26552
@Danielomine captcha nowadays can be broken too. They have scripts that interpret Ptchas, but it already makes it difficult. The ideal is to apply the CSRF concept
– user26552
It was just a comment and not a definitive solution. Besides, poorly done captcha has always been violable. There are different ways to implement a captcha. And CSRF does not replace it, it is even very easy to circumvent. The problem with the captcha is that it makes the UX more bureaucratic. Nobody likes to fill in those codes, boring and often unreadable, during a login or a registration. But it’s still the safest thing to do when well employed. One of the most intelligent and simple is something like this, currently used in one of the facebook administration pages: http://i.stack.Imgur.com/gqhtO.jpg
– Daniel Omine
Speaking a little more since you touched on the subject and not to leave too vague what I mentioned, try this library that simulates navigation as if it were a browser: http://www.simpletest.org/en/browser_documentation.html It’s all in PHP. With this library you can access a page and submit forms with a valid session. Just test and see how simple it is to circumvent CSRF. It is not by chance that there is captcha. But as I mentioned above, one should consider the business model of the site. On a technical site can be a more complex captcha. A site like facebook has to be very friendly and obviously, safe.
– Daniel Omine
Friends, I implemented a small example in a test application and managed to circumvent it with a python script that took the value of the form and added to the request, how to proceed now? I saw something related to json tokens, but didn’t read much about, suggestions?
– Thiago