September 14, 2012

Cross Domain Form Posted – PHP Security Fix

Cross Domain Form Posted – PHP Security Fix

We the developers mostly rely on the ready made frameworks now a days and ignoring the common sense security fixes. Everybody knows that when a spammer will attack to your site so he will not do such a hectic activity that he will come to your form page and will enter captcha to spam you again and again. He will get the exact URL of your target page and the fields which are expected to be posted. He might will fix the captcha thing too, depends on his expertise. Now the question is this that if we don’t require cross domain posting so should we allow it or not? If not then are we preventing this attack?


Here is a simple example of a form which will post some input to

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Cross Domain Posting</title>
<form action="" method="post">
<input name="field1" />
<input name="field2" />
<input type="submit" />

Simple PHP Security FIX

We have no concern that the posted data is through GET or POST or its some AJAX etc. We have to check that if HTTP_HOST and the HOST from the HTTP_REFERER are the same or not? If they are same then its a safe activity else its a spamming activity.

function cross_domain_posted()
$parse_url = parse_url($_SERVER['HTTP_REFERER']);
echo 'Attack';
echo 'Host From: '.$parse_url['host'].'Host To: '.$_SERVER['HTTP_HOST'];
echo 'Safe
echo 'Host From: '.$parse_url['host'].'
Host To: '.$_SERVER['HTTP_HOST'];

I hope this snippet will help you to understand that how can we enhance the security either we are using the PHP frameworks or not. And it is not good to blame the frameworks for the security issues. We should be aware of the things which are related to the common sense.


Last updated: March 19, 2014
Did it helped? One thought on “Cross Domain Form Posted – PHP Security Fix
  1. Pingback: Website Designing Website Development Cross-site request forgery (CSRF) - Ajax Fix

Comments are closed.