In demand

ad1

Monday, February 23, 2015

Security in Forms and API requests

Working CCK Form security: tokens but also white listing POST variables, MIA for CMS's and impossible to implement in Drupal & WP etc. Sanitation and validation of user input yes. But nothing against Injection of POST fields into the request Since CCK ( cck.fhqk.com ) is API-centric it is critical to secure the requests from client forms and all verb requests via cURL, php://input etc..

Strange that this was a very common task back in the days of Classic ASP. But somewhere in the gain in popularity of PHP it got lost.

from POST Request;

 Array
(
    [ccid] => ccid-54eb4dcabcdc97.58677578
    [title] => 
    [author_id] => 
    [date_created] => 
    [send] => send
    [security] => 8e474da78d349ee503b65357f611bb69
    [form] => content_type_add
)


 Checklist from Session:




Array
(
    [token] => 8e474da78d349ee503b65357f611bb69
    [whitelist] => Array
        (
            [0] => ccid
            [1] => title
            [2] => type
            [3] => author_id
            [4] => date_created
            [5] => send
            [6] => security
            [7] => form
        )

)

Kill unwanted request verbs:

$method = $_SERVER['REQUEST_METHOD'];
        

        switch ($method) {
            case 'PUT':
                exit($method . ' not allowed');
                break;
            case 'GET':
                exit($method . ' not allowed');
                break;
            case 'HEAD':
                exit($method . ' not allowed');
                break;
            case 'DELETE':
                exit($method . ' not allowed');
                break;
            case 'OPTIONS':
                exit($method . ' not allowed');
                break;

        }

Today's Links

Post a Comment

Print this!