verify my code please

ErnieAlex · February 1, 2016, 10:38pm

Well, guess I am a little confused on what we are NOW discussing. I thought it was about this one line not
working well under certain versions of IE?
if (isset($_POST[‘submit’]))

I have a site that scrapes a Google search and then scrapes data out of the list of sites it finds. It uses CURL and
it works well although slowly at times. It uses the above and has never failed and seems to work just fine on the
older IE8. I tested it by starting up and older desktop I was planning on taking to the dump. My code does not
accept outside CURL posts. It only allows CURL posts from my own server. A CURL request or post from my own site
will run just fine.

I guess I still going to use it on this site. I do not have IE7 or IE6 to test with, although I think I have an XP
emulation on one of my systems and will play with that later in the week… I think it has IE6 on it… Will be
interesting to see if it can handle the code…

benanamen · February 1, 2016, 10:46pm

Well, yes, but more specifically isset($_POST[‘submit’]) VS if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’)

The IE issue is just ONE reason not to use it. I have now provided a SECOND reason. If I have time I will show yet another example.

My code does not accept outside CURL posts.

Really? And just how exactly are you blocking it? cURL does not knock on your servers door and say "Hey, I am a cURL post."

ErnieAlex · February 1, 2016, 11:16pm

Well, on the one site I am talking about, it always checks for the user being logged in and then checks the
calling page to verify it is from the site itself. It is just a simple check. I have never really tested it to any real
security lengths as I never felt I needed to. Perhaps now, I will attempt to hack into it and see if it fails.

On another site that uses CURL to send requests to one of my server, it must come from one and only one IP
address. That was a simple security check. I realize that IP’s can be faked, but, it does remove simple hacks…

So, there are ways to prevent CURL from posting to your site…

benanamen · February 1, 2016, 11:33pm

Actually, it is nothing to do with the request coming from cURL itself. It is all about that you allowed that IP. That same person could also put an actual form on their allowed server and that would work as well. They could also use any number of tools such as Request Maker to send the post data https://chrome.google.com/webstore/detail/request-maker/kajfghlhfkcocafkcjlajldicbikpgnp

This will also provide another answer to [member=72272]astonecipher[/member]'s question “If the http requests does not come from the form, where is it coming from?”.

As I said, cURL does not announce itself to the server as cURL and there are MANY ways to send post data to your website besides the form on your site.

ErnieAlex · February 1, 2016, 11:43pm

HUH? If a user has a form that posts to my secured one to submit info in the correct form and I allow that one
IP to access the page it is posting to. Who cares if they make a different page to do the same thing? It still gets
thru and is valid, so no issues. If you or anyone else attempts to post thru CURL to that page, it just dies and it
gets no responses except a message saying they are not allowed on the site! Even if you as a hacker would get
to their site and hack their page, you would need to be logged into their secured site before you could send data
from them to my server. I think it is secured from your CURL! LOL

So, yes, it has nothing to do with CURL itself, but, it does stop CURL in it’s tracks. (Well on that one page at least!)

benanamen · February 1, 2016, 11:51pm

It stops anyone and anything that is not from that ip (real or spoofed), it has nothing to do with whether it is curl or not, it only has to do with you are not coming from the allowed ip regardless of how you are sending the data.

benanamen · February 1, 2016, 11:54pm

Here is another failure using if submit. This should fail in any browser/version. Switch the commented line around and test again.

If you happen to have a form that is all check boxes (very common in a table to do some action on multiple rows) you will fail using if submit

[php]<?php
if (isset($_POST[‘submit’]))
//if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’)
{
if (!isset($_POST[‘box1’]))
{
echo “Error: You must select checkbox 1
”;
}

if (!isset($_POST['box2']))
    {
    echo "Error: You must select checkbox 2";
    }


}

else
{
echo “$_POST[‘submit’] was not received
”;
}
show_source(FILE);
?>

[/php]

I think I have proven my point with actual code examples. (There are still more by the way.) It is really pointless to keep showing how many different ways something WONT work.

In the words of Forrest Gump…

ErnieAlex · February 2, 2016, 12:14am

doesn’t it work if you put the action="" back into the tag?

benanamen · February 2, 2016, 12:21am

Per the HTML5 specs, the action attribute is not required.
https://www.w3.org/TR/html5/forms.html#attr-fs-action

The action and formaction content attributes, [b]if[/b] specified,.....

And no, it doesn’t make any difference.