how to prevent hacking from POST method

Question

I have a script that use $_POST variable to store to the database.

There are some users who is trying to cheat the system by making their own post form method or using curl to send post variable and value to the server.

How can I prevent this attack?

Thank You

Answer 1

Prevention isn't possible (POST being safe is an oversimplification myth). You have to validate the incoming data with various methods:

• CSRF tokens help against arbitrary form submission bots (but not against handicrafted tampering)
• enumarate the expected form values, assert() that all are present and no extraneous fields show up
• sanitize and filter on expected values. I use $_POST->text->in_array("field", "abc,def,xyz") for example