I have a file, "submit.php", which writes a series of values submitted from a previous form in "choose-product.php" to a MySQL database. I've used mysql_real_escape_string
as suggested in a previous question here, but I've noticed that if I upload my "choose-product.php" file to a separate server and change the opening of the form to
<form name="form" id="form" action="http://www.myserver.com/submit.php" method="post">
this will also write a series of values to the database. Obviously this is very bad! Now, I know there will be a way to rectify this, but as this is my first time writing such code, I'm a bit stumped.
Here's the full code for submit.php
:
<?php
include("db.php");
function random_string() {
$character_set_array = array();
$character_set_array[] = array('count' => 7, 'characters' => 'abcdefghijklmnopqrstuvwxyz');
$character_set_array[] = array('count' => 1, 'characters' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ');
$character_set_array[] = array('count' => 3, 'characters' => '0123456789');
$character_set_array[] = array('count' => 1, 'characters' => '!@#$*&:');
$temp_array = array();
foreach ($character_set_array as $character_set) {
for ($i = 0; $i < $character_set['count']; $i++) {
$temp_array[] = $character_set['characters'][rand(0, strlen($character_set['characters']) - 1)];
}
}
shuffle($temp_array);
return implode('', $temp_array);
}
$key = random_string();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$productid = mysql_real_escape_string($_POST['productid']);
mysql_query("INSERT INTO sales VALUES('','$productid','$key',CURRENT_TIMESTAMP,'','active')");
echo "
<form action='XYZ' id='BB_BuyButtonForm' method='post' name='BB_BuyButtonForm' target='_top'>
<input name='item_name_1' type='hidden' value='Test item 1'/>
<input name='item_description_1' type='hidden' value='Testing item sales'/>
<input name='item_quantity_1' type='hidden' value='1'/>
<input name='item_price_1' type='hidden' value='0.5'/>
<input name='item_currency_1' type='hidden' value='GBP'/>
<input name='shopping-cart.items.item-1.digital-content.url' type='hidden' value='http://www.XYZ.com/download.php?key=$key'/>
<input name='_charset_' type='hidden' value='utf-8'/>
<input alt='' src='XYZ' type='image'/>
</form>
";
}
?>
Welcome to the HTTP protocol.
http://www.myserver.com/submit.php can be called by anyone, at any time. The form that calls in can be on any other web page. Or the user may not actually call it from a form at all, but may use a command line tool to submit data. This tool could claim to be a web browser and you would not know.
I'm guessing from your Q:
Are you relying on choose-product.php to provide some kind of security for submit.php?
You can't.
You must do all checks for security on submit.php, even if you've just done them for choose-product.php 5 seconds ago.