Form submition

[Virtuoso]

How do I make it so that some pages only accept forms that come from my website?, so people can't create forms from other websites and link them to mine.

[swirlee]

Good question (and thanks for posting to the correct forum).

You can do this with moderate success using the server variable $_SERVER['HTTP_REFERER'], which contains the address of the page from which the user arrived. (Note that "REFERER" is missing an "R" .. this is a decade-old spelling quirk of the HTTP spec, or so I'm told).

Anyway, it's important to note that while this is useful, it's not foolproof. There are plenty of ways to spoof the referer/referrer, but unless you're handling sensitive data you probably don't need to worry about it.

[Virtuoso]

so is it somethign like this

Code: Select all

<?php
if ($_SERVER[HTTP_REFERER] != 'lastpage.php')
{
die('dont try to hack')
}
?>


[swirlee]

Yes, something like that, except that $_SERVER['HTTP_REFERER'] (note: the single-quotes around HTTP_REFERER are required) returns the whole address, not just the filename. I recommend that you get adventurous and echo it yourself to see what it looks like. You can use parse_url() to get the relevant parts of the URL.

[tranquillo]

wouldn't it be better to use

Code: Select all

if($_SERVER['HTTP_REFERER'] != "http://yourdomain.com/lastpage.php")

if you use only 'lastpage.php',couldn't someone name their document 'lastpage.php' and be able to submit data anyway?

[sigix]

it will be wise to check the complete domain name along with the page name :wink: