I have a script that use $_POST variable to store to the database.
There are some users who is trying to cheat the system by making their own post form method or using curl to send post variable and value to the server.
How can I prevent this attack?
开发者_如何学CThank You
Prevention isn't possible (POST being safe is an oversimplification myth). You have to validate the incoming data with various methods:
- CSRF tokens help against arbitrary form submission bots (but not against handicrafted tampering)
- enumarate the expected form values, assert() that all are present and no extraneous fields show up
- sanitize and filter on expected values. I use
$_POST->text->in_array("field", "abc,def,xyz")
for example
There is no way to stop people making arbitrary HTTP requests.
How you defend yourself depends on what the content of the request is and why it constitutes an attack.
You can make sure that POST is made from your form via capcha kind of protection or You can sanitize each $_POST variable and reject whole POST data if it don't satisfy criteria.
This attack have a name "SQL injection". It's not too hard to protect from it. Just use magic_quotes if your value is string and use filter witch skips onlu numbers if your value is number.
精彩评论