4WebHelp
 FAQ  •  Search  •  User Groups  •  Forum Admins  •  Smilies List  •  Statistics  •  Rules   •  Login   •  Register
Toggle Navigation Menu

 Forms with PHP...
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic
Author Message
lantern
Junior WebHelper
Junior WebHelper


Joined: 29 Jun 2002
Posts: 1

PostPosted: Sat Jun 29, 2002 7:36 pm (15 years, 3 months ago) Reply with QuoteBack to Top

Let's say I'm writing a simple guestbook, or something else which uses a simple form to post information to some sort of database. How do I ensure that the form's information has come from my own form and not somebody else's? In case I haven't made myself clear, here's an example.

There are two pages, form.php and post.php. Obviously, the former contains the HTML form and the latter does something with it. Here in lies the problem I keep coming upon. Say someone else has another page, my_form.php (or HTML or whatever), which sends the same information to post.php. How would I go about ensuring that the desired information came from my form instead of somebody else's? I've considered using getenv("HTTP_REFERER"), but the PHP manual says that this approach isn't trustworthy. I've also considered using sessions, but that seems a bit excessive for something simple as this. Have I overlooked something obvious? Thanks to anyone who takes the time to read this.
OfflineView User's ProfileFind all posts by lanternSend Personal MessageVisit Poster's Website
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Sun Jun 30, 2002 8:41 am (15 years, 3 months ago) Reply with QuoteBack to Top

One thing you'll want to do is make sure all entries come from HTTP_POST_VARS and not HTTP_GET_VARS. Then add the referrer protection. AFAIK that's all you can do...

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Darren
Team Member



Joined: 05 Feb 2002
Posts: 549
Location: London

PostPosted: Sun Jun 30, 2002 10:31 am (15 years, 3 months ago) Reply with QuoteBack to Top

You can still use the method POST from a form on another server though, so does HTTP_POST_VARS contain only variables that come from the same domain?
OfflineView User's ProfileFind all posts by DarrenSend Personal MessageVisit Poster's Website
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Sun Jun 30, 2002 10:37 am (15 years, 3 months ago) Reply with QuoteBack to Top

HTTP_POST_VARS contains ALL POST vars, so that's way I said to also use the HTTP_REFERRER check.

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
jayant
Team Member



Joined: 07 Jan 2002
Posts: 262
Location: New Delhi, India

PostPosted: Sun Jun 30, 2002 5:08 pm (15 years, 3 months ago) Reply with QuoteBack to Top

sessions and cookies maybe used for this to achieve v. good results.

sessions are better . cookies will be unsafer

________________________________
Jayant Kumar
Member of the 4WebHelp Team
Nibble Guru - Computing Queries Demystified
GZip/ Page Compression Test
OfflineView User's ProfileFind all posts by jayantSend Personal MessageVisit Poster's WebsiteYahoo MessengerMSN Messenger
Display posts from previous:      
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic


 Jump to:   




You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot edit your posts in this forum.
You cannot delete your posts in this forum.
You cannot vote in polls in this forum.


Page generation time: 0.066658 seconds :: 17 queries executed :: All Times are GMT
Powered by phpBB 2.0 © 2001, 2002 phpBB Group :: Based on an FI Theme