I've hit a brick wall while trying to secure my indev website. The index is a PHP file that uses the Google Maps v3 API to display a map of my city that users can add their own markers to. Once they add a marker they can click on it to open an InfoBox containing a form that allows them to submit various information about the location. The form, which is simply a DOM element written in JS, POSTS to a PHP script that validates the data before parameterizing it and inserting it in a MySQL database. The website, by necessity, does not require registration, so I have tried unsuccessfully to deter form flooding by creating a one-use token that the PHP script verifies.
My problem, specifically, is this: I can create the token initially in the index.php file and then unset it after the form is successfully POSTed to the add.php script, but I cannot execute any PHP code from within the JS file to update the hidden form element with the new token.
Here's what is happening in the code --
From index.php (where the token is created on page-load):
$_SESSION['stoken'] = sha1(uniqid(mt_rand(), true));
Now that the token is created I assign it to a JS variable like so:
var stoken = "<?php print($_SESSION['stoken']); ?>";
Now my external .JS file has access to 'stoken' and puts it in a hidden form element on the Google Maps InfoBox window once the user accesses it. The user then submits the form and my add.php file verifies that $_SESSION['stoken'] is equivalent to the POSTed hidden form value. Then it unsets $_SESSION['stoken'].
This is where I am stuck. I cannot run any PHP from within the .JS file to set or access a new token for the next InfoBox that the user might create and fill out. If I allow users to use the same token for each InfoBox then it's incredibly simple to create an HTML file on one's desktop that floods the database with entries. The data validation prevents someone from entering a bunch of random BS, but an individual could still fill the database with "legitimate" information over and over with slightly different values.
So far I have come up with two "solutions":
(1) I can force a page reload, which creates a new token
or
(2) I can set .htaccess to instruct Apache to process PHP within JS files, allowing me to let the creation function for new InfoBoxes to be aware of a new token
Both of these options seem to me to be cop-outs that only a newbie, such as myself, would resort to and they may cause other problems down the line. I appreciate any help with a more elegant and reasonable solution to this problem. Thanks.
Since you use an AJAX Request to create the Stoken (If I got your text correct), you could just return the value of:
$_SESSION['stoken'] = sha1(uniqid(mt_rand(), true));
and write it JS Var. Doing so, you would also have the correct Stoken active, for give you hints how to do so, a JS Fiddle with your Javascript Code would be perfect.
An example of doing so with jQuery would be, in dependence of your $.load() or $.ajax() request would be:
$.ajax({
url: "XYZ"
}).done(function ( data ) {
stoken=data;
});
More infos you can find there: http://api.jquery.com/jQuery.ajax/