Let’s say i have a form <form action="delete_post.php" method="post">...</form> on my website: http://mysite.com and the file action/delete_post.php deletes the post with matches the id given in the form.
Can somebody try to delete random posts from my website by building a site with a form:
<form action="http://mysite.com/action/delete_post.php' method="post">...</form>
and passing along id’s of posts he wants to delete [just for the fun of being evil or to inflict damage to a concurrent’s website or whatever] ?
You could imagine a whole bunch of stuff someone could do targeting your form processing files like that, so do i need to secure my files against that sort of threats?
PS.: I am not affiliated with http://mysite.com
Yes, this type of attack is called a cross-site request forgery (CSRF), and many sites are vulnerable to it.
A common way to block this attack is to include a hidden input with a randomly generated form token (even just something like
md5(microtime(true))is sufficient). Keep a list of recent valid form tokens in the user’s session, and destroy them once they’re used (and only keep 5 or 10 of the most recent). Don’t let that action complete if the user does not have a valid form token.