|
Author |
Message |
lantern
Junior WebHelper
Joined: 29 Jun 2002
Posts: 1
|
Posted:
Sat Jun 29, 2002 7:36 pm (21 years, 10 months ago) |
|
Let's say I'm writing a simple guestbook, or something else which uses a simple form to post information to some sort of database. How do I ensure that the form's information has come from my own form and not somebody else's? In case I haven't made myself clear, here's an example.
There are two pages, form.php and post.php. Obviously, the former contains the HTML form and the latter does something with it. Here in lies the problem I keep coming upon. Say someone else has another page, my_form.php (or HTML or whatever), which sends the same information to post.php. How would I go about ensuring that the desired information came from my form instead of somebody else's? I've considered using getenv("HTTP_REFERER"), but the PHP manual says that this approach isn't trustworthy. I've also considered using sessions, but that seems a bit excessive for something simple as this. Have I overlooked something obvious? Thanks to anyone who takes the time to read this. |
|
|
|
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2564
|
Posted:
Sun Jun 30, 2002 8:41 am (21 years, 10 months ago) |
|
One thing you'll want to do is make sure all entries come from HTTP_POST_VARS and not HTTP_GET_VARS. Then add the referrer protection. AFAIK that's all you can do... |
________________________________
|
|
|
|
Darren
Team Member
Joined: 05 Feb 2002
Posts: 549
Location: London
|
Posted:
Sun Jun 30, 2002 10:31 am (21 years, 10 months ago) |
|
You can still use the method POST from a form on another server though, so does HTTP_POST_VARS contain only variables that come from the same domain? |
|
|
|
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2564
|
Posted:
Sun Jun 30, 2002 10:37 am (21 years, 10 months ago) |
|
HTTP_POST_VARS contains ALL POST vars, so that's way I said to also use the HTTP_REFERRER check. |
________________________________
|
|
|
|
jayant
Team Member
Joined: 07 Jan 2002
Posts: 262
Location: New Delhi, India
|
Posted:
Sun Jun 30, 2002 5:08 pm (21 years, 10 months ago) |
|
|
|
|
|
|
You cannot post new topics in this forum. You cannot reply to topics in this forum. You cannot edit your posts in this forum. You cannot delete your posts in this forum. You cannot vote in polls in this forum.
|
Page generation time: 0.124956 seconds :: 18 queries executed :: All Times are GMT
Powered by phpBB 2.0
© 2001, 2002 phpBB Group :: Based on an FI Theme
| |