PHP form spoofing code

Question

I have the following code which should prevent form spoofing. A token is used to match and ensure that the form submitted is from that page..

if (isset($_POST['Submit'])) {
    if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
        // error, form spoofing, return to users' page or do something else
        echo '<script>',
                 'alert("Form spoofing error!! Please Try again later")',
             '</script>';
    } else {
        //Continue with submission
    }
}

The error shows up every-time I submit the form and needs to show only when there a security risk.

Thanks.

EDIT: The following code is added at the start of the page:

$_SESSION['token'] = md5(time());

A hidden field is added which matches with the token created at the start of the session after submission:

<input name="token" id="token" value="<?php echo md5(time()); ?>" type="hidden">

PHP spoofing error comes after every form submission which doesn't let me submit form.

When is `$_SESSION['token']` generated? Is it possible you generate a new token on page load before comparing the old one? — DCoder, May 11 '13 at 16:55
echo `$_POST['token']` and `$_SESSION['token']` to see what value they have. — Siamak Motlagh, May 11 '13 at 16:55
Too early and not enough coffee for me to see what it is. Definitely try the debugging that Siamak suggests and I'd also suggest you tighten it up by using !== (identity rather than equality). — Erik Nedwidek, May 11 '13 at 17:07
How do you think this will prevent form spoofing? I can still grab the valid tokens and send whatever I want. — Gumbo, May 11 '13 at 17:07

score 0 · Accepted Answer · answered May 11 '13 at 17:24

Heres an example that you can try, it expects the page tobe loaded at least once first before a POST request, also token key is also hashed for fun:

<?php 
session_start();

if ($_SERVER['REQUEST_METHOD']=='POST') {

    if (!isset($_SESSION['token_key']) || 
        !isset($_SESSION['token'])     || 
        !isset($_POST[$_SESSION['token_key']]) || 
        $_POST[$_SESSION['token_key']] != $_SESSION['token']) {

        echo 'Form spoofing error!';
    } else {
        //Continue with validation ect
        echo 'alls good!';
    }
}
//set after any checks on previous values
$_SESSION['token_key'] = sha1(microtime(true));
$_SESSION['token'] = sha1(microtime(true)+1);
?>
<form method="POST" action="">
    <input type="hidden" name="<?php echo $_SESSION['token_key'];?>" value="<?php echo $_SESSION['token'];?>" />
    <p><input type="text" name="yada" size="20">
    <input type="submit" value="Submit" name="B1"></p>
</form>

hope it helps

I get 'Form spoofing error!' message after submission and form is also submitted. Any help on this maybe? Thank you. — virs90, May 11 '13 at 20:02
perhaps you have a session issue, you should check that your sessions are working. — Lawrence Cherone, May 11 '13 at 20:11
Okay, could you please take a look at my file if I personally sent it you.. if that's okay? Thanks.. — virs90, May 11 '13 at 20:14

score 0 · Answer 2 · answered May 11 '13 at 17:30

You should also consider adding a salt to your hash, because with your method is someone was able to find the time the script was run, they could just take a hash of it and spoof your token. With an added salt they would also need to know the salt.

md5(time()+53498238923);

Just any random number will do for this.

PHP form spoofing code

2 Answers2