Form submition

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

User avatar
Virtuoso
php-forum Active User
php-forum Active User
Posts: 268
Joined: Mon Jul 21, 2003 7:05 am
Contact:

Form submition

Postby Virtuoso » Tue Jul 22, 2003 10:28 am

How do I make it so that some pages only accept forms that come from my website?, so people can't create forms from other websites and link them to mine.

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Tue Jul 22, 2003 10:43 am

Good question (and thanks for posting to the correct forum).

You can do this with moderate success using the server variable $_SERVER['HTTP_REFERER'], which contains the address of the page from which the user arrived. (Note that "REFERER" is missing an "R" .. this is a decade-old spelling quirk of the HTTP spec, or so I'm told).

Anyway, it's important to note that while this is useful, it's not foolproof. There are plenty of ways to spoof the referer/referrer, but unless you're handling sensitive data you probably don't need to worry about it.

User avatar
Virtuoso
php-forum Active User
php-forum Active User
Posts: 268
Joined: Mon Jul 21, 2003 7:05 am
Contact:

Postby Virtuoso » Tue Jul 22, 2003 10:49 am

so is it somethign like this

Code: Select all

<?php
if ($_SERVER[HTTP_REFERER] != 'lastpage.php')
{
die('dont try to hack')
}
?>

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Tue Jul 22, 2003 11:50 am

Yes, something like that, except that $_SERVER['HTTP_REFERER'] (note: the single-quotes around HTTP_REFERER are required) returns the whole address, not just the filename. I recommend that you get adventurous and echo it yourself to see what it looks like. You can use parse_url() to get the relevant parts of the URL.

tranquillo
New php-forum User
New php-forum User
Posts: 74
Joined: Sun Nov 24, 2002 6:48 pm
Location: katrineholm
Contact:

Postby tranquillo » Mon Oct 20, 2003 4:18 am

wouldn't it be better to use

Code: Select all

if($_SERVER['HTTP_REFERER'] != "http://yourdomain.com/lastpage.php")


if you use only 'lastpage.php',couldn't someone name their document 'lastpage.php' and be able to submit data anyway?

sigix
php-forum Active User
php-forum Active User
Posts: 364
Joined: Mon Jul 14, 2003 9:39 pm
Location: /Earth/Xion

Postby sigix » Mon Oct 20, 2003 5:07 am

it will be wise to check the complete domain name along with the page name :wink:


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 0 guests

cron