Forms with PHP...

Junior WebHelper Joined: 29 Jun 2002 Posts: 1

Let's say I'm writing a simple guestbook, or something else which uses a simple form to post information to some sort of database. How do I ensure that the form's information has come from my own form and not somebody else's? In case I haven't made myself clear, here's an example.

There are two pages, form.php and post.php. Obviously, the former contains the HTML form and the latter does something with it. Here in lies the problem I keep coming upon. Say someone else has another page, my_form.php (or HTML or whatever), which sends the same information to post.php. How would I go about ensuring that the desired information came from my form instead of somebody else's? I've considered using getenv("HTTP_REFERER"), but the PHP manual says that this approach isn't trustworthy. I've also considered using sessions, but that seems a bit excessive for something simple as this. Have I overlooked something obvious? Thanks to anyone who takes the time to read this.

Team Member Joined: 06 Jan 2002 Posts: 2564

One thing you'll want to do is make sure all entries come from HTTP_POST_VARS and not HTTP_GET_VARS. Then add the referrer protection. AFAIK that's all you can do...

Posted: Sun Jun 30, 2002 10:31 am (21 years, 9 months ago)

You can still use the method POST from a form on another server though, so does HTTP_POST_VARS contain only variables that come from the same domain?

Team Member Joined: 06 Jan 2002 Posts: 2564

HTTP_POST_VARS contains ALL POST vars, so that's way I said to also use the HTTP_REFERRER check.

Posted: Sun Jun 30, 2002 5:08 pm (21 years, 9 months ago)

sessions and cookies maybe used for this to achieve v. good results.

sessions are better . cookies will be unsafer