2

I have the following code to generate a random string

function generateRandomString($length = 10) {
  $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
  $randomString = '';
  for ($i = 0; $i < $length; $i++) {
    $randomString .= $characters[rand(0, strlen($characters) - 1)];
  }
  return $randomString;
}
$s= generateRandomString();

And have an HTML Form in which the name field gets the random string in that form

<input type="text" maxlength="10" name="<?php echo $s;?>" class="tracer-number-input"/>

Now how do I make sure to get POST of that Random string when I use this

$num = $_POST[$s];

It does not work as expected because when I click the submit button of the HTML form, the page reloads and the random string is changed so the POST form does not got the previous random value. That breaks my logic.

The main motive is to make a HTML form in which the name of the input field is random and the post field will also get that random string.

I want to prevent the autoscript to make submission as every time this generate different POST field and then the autoscript is unable to process even if I have not added a captcha

Improve this question
5
  • Use random string to hidden field eg: <input type="hidden" name="tracer-number-input" value="<?php echo $s;?>"/> Commented Sep 21, 2013 at 4:46
  • But i want that user will input data in that text input field. and if i hide this then How the user also input.I want to take input from user in that field Commented Sep 21, 2013 at 4:55
  • 1
    Save the random string in a hidden field too or use the session Commented Sep 21, 2013 at 4:58
  • You have an XY problem. Commented Sep 21, 2013 at 5:06
  • You can try DynamicFormFields for hiding real form fields names in forms. Commented Apr 26, 2015 at 1:49

3 Answers 3

Reset to default
3

How about set the value to a hidden field.

// If $_POST["random"] is set, set its value to $s, else set $s to a random string
$s = isset($_POST["random"]) ? $_POST["random"] : generateRandomString();

<input type="hidden" name="random" value="<?php echo $s; ?>" />
<input type="text" name="<?php echo $s; ?>" value="whatever user types"/>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You have two options:

  1. Store the random string in the $_SESSION variable and on POST, get the field name from there.
  2. Alternatively, if all you are aiming to do is give the post a different name for whatever reason and you know the names of all your other $_POST fields, you can loop over each field and find one that doesn't match. However, that will remove any "security" you had hoped to achieve.
Improve this answer

Comments

0

You could encrypt your field names in a way that only you could decrypt:

<? 
    $MY_SECRET_KEY = ...; // this is a constant with random string, stored somewhere safe and not disclosed to anyone
    $iv = mcrypt_create_iv(...);
?>
<input name="iv" type="hidden" value="<?= $iv ?>" >
<input name="<?= base64_encode(mcrypt_encrypt(
                           MCRYPT_RIJNDAEL_128, 
                           $MY_SECRET_KEY,
                           $plain_field_name, 
                           MCRYPT_MODE_CBC, 
                           $iv)); 
?>" value="...">

While decrypting the form:

$iv = $_POST['iv'];
for ($_POST as $encrypted_field_name => $value) {
    if ($encrypted_field_name == 'iv') continue;
    $plain_field_name = mcrypt_decrypt(
        MCRYPT_RIJNDAEL_128,
        $MY_SECRET_KEY,
        base64_decode($encrypted_field_name), 
        MCRYPT_MODE_CBC, 
        $iv
    );
    ....
}

However, note that there are some form auto-fillers that uses the form label or input order instead of the form name; I don't think there's any way to completely defeat those type of form fillers while still making your form usable for actual users; the most you can do is to make sure that your labels and input fields cannot be matched up easily, this can be done using CSS3 flexbox or javascript to reorder the input fields in addition to encrypting the field names. For an automatic form filler to defeat this, they would have to understand flexbox or run the script. I think that would have been sufficient to prevent most script kiddies.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.