PHPDeveloper.org: Jani Hartikainen's Blog: How to CSRF protect all your forms

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Dave Marshall's Blog: Competition: PHP Job Hunters Handbook up for grabs

Job Posting: LIVESTRONG.com/Demand Media Inc. Seeks Senior PHP Software Developer (Santa Monica, CA)

Job Posting: Children's Hospital Boston Seeks Open Source Web Developer (Boston, MA)

Job Posting: eReleases Seeks Zend/PHP Developer (Baltimore, MD)

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

News Archive

ElePHPant World Tour: The Elephpant World Tour 2008 is done!

Ralph Schinder's Blog: The Semi-Official Zend Framework Pear Channel

Michael Caplan's Blog: Don't Forget to Flush

Sameer Borate's Blog: Finding if an array is ordered

Etienne Kneuss' Blog: SplObjectStorage for a fast and secure object dictionary

Matthew Turland's Blog: php|tek 2009 Hackathon

Tobias Schlitt's Blog: Webdav authentication, authorization and locking

Evert Pot's Blog: Devshed article about SQL Injection

Site News: Blast from the Past - One Year Ago in PHP

Community News: phpGG Frontend Special

Jani Hartikainen's Blog:
How to CSRF protect all your forms

by Chris Cornutt October 16, 2008 @ 12:07:26

Jani Hartikainen has posted a few ideas on cross site request forgeries in a new blog entry, including some methods to help prevent it in your application.

CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. [...] This can be dangerous, especially if your admin interface is compromised: There may be a button on the other site which goes to your admin interface and deletes the latest blogpost for example - and you wouldn't want that!

His method is a three-step process for protection - use POST, protect against cross-site scripting and use a CSRF key in the form to help prevent abuse. A simple script is included to show it working and is adapted to work in a controller plugin for the Zend Framework.

0 comments voice your opinion now!
csrf crosssite request forgery xss scripting form protect

Similar Posts

Programmer Assist: Handling File Uploads With PHP

DevShed: Using Abstract Factory Classes in PHP 5 to Work with Online Forms

Vinu Thomas' Blog: Securimage Captcha for PHP

Paul Gregg's Blog: Want to try out the next major version of Delphi for PHP?

Pierre-Alain Joye's Blog: PHP Security Conference in Paris, 2007/01/29

Community Events

Don't see your event here?
Let us know!

All content copyright, 2009 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework