Page 1 of 1

Problem with form mailing script

Posted: Sat Mar 19, 2005 5:18 am
by cripes
On my php form-mailing script, I use a simple check to be sure that the form is not being hijacked by a pirate or spammer:

Code: Select all

$referer = $_SERVER['HTTP_REFERER']; 
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]; 
if ($referer!= $this_url) { 
echo "You do not have permission to use this script from another URL."; 
} 
else { 
code that sends the message! 
}
I'm getting complaints that this form won't work for anyone who has installed Norton Firewall or similar products, that hide the referrer.

Is there a workaround here?
Or another way to restrict use of the form script?


feyd | Please review how to post code using

Code: Select all

and

Code: Select all

tags. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Sat Mar 19, 2005 5:27 am
by n00b Saibot
simply pass a POST var and check for it instead of checking for referrer as this thing doesn't always exist and is rather unreliable.

Posted: Sat Mar 19, 2005 6:19 am
by cripes
n00b Saibot wrote:simply pass a POST var and check for it instead of checking for referrer as this thing doesn't always exist and is rather unreliable.
Thanks! - that would be a solution.

But then again, it wouldn't be as robust a check for a malicious user pirating the form, since all they'd have to do is integrate the same POST var. :(

Posted: Sat Mar 19, 2005 6:26 am
by n00b Saibot
Then sessions may be it.

Posted: Sat Mar 19, 2005 7:06 am
by cripes
Then sessions may be it.
ah-hah! I hadn't thought of that! :)

What do most people/sites do for this??

Posted: Sat Mar 19, 2005 7:57 am
by n00b Saibot
they keep track of the people thru sessions and when mailing it check for the same sessions tracking vars. if they exist go ahead and mail it. if they don't then, hey buzz off! ;)