Page 1 of 1

$_POST PROBLEM

Posted: Wed Aug 02, 2006 5:15 am
by siong1987
May i know is there any pre-defined $_POST variable that can help us to verify where the $_POST variables is send from?

Thank you.

Posted: Wed Aug 02, 2006 5:27 am
by volka
$_SERVER['REMOTE_ADDR'] holds the ip adress of the requesting client.
$_SERVER['HTTP_REFERER'] contains whatever the client is claiming to be the refering url.
But that's probably not what you're looking for.
Please elaborate.

Posted: Wed Aug 02, 2006 5:34 am
by Ollie Saunders
You cannot reliably acertain the origin of any request data (POST or GET).

You can add:

Code: Select all

<input type="hidden" name="origin" id="origin" value="add record form" />
and then do this:

Code: Select all

if ($_POST['origin'] == 'add record form')
BUT, before you go running off. Remember any of this data can be tampered with. Someone could very easier spoof the value of origin to whatever they wanted. In that way POST is no better than GET, only you have to go to a bit more effort to do it, and fewer people know about it; still really simple though.

Posted: Wed Aug 02, 2006 8:24 am
by jmut
ole wrote:You cannot reliably acertain the origin of any request data (POST or GET).

You can add:

Code: Select all

<input type="hidden" name="origin" id="origin" value="add record form" />
and then do this:

Code: Select all

if ($_POST['origin'] == 'add record form')
BUT, before you go running off. Remember any of this data can be tampered with. Someone could very easier spoof the value of origin to whatever they wanted. In that way POST is no better than GET, only you have to go to a bit more effort to do it, and fewer people know about it; still really simple though.
In addition to this....

You should not really be concerned where data comes from. You just need to validate it properly and use it accordingly.

Posted: Wed Aug 02, 2006 8:57 am
by RobertGonzalez
If it is really a concern, and you happen to use database driven content, you can always store in your database what the calling page was based on the page you are on. I do this on a couple of sites, so I always know the page the user is on and the page they came from (within my site).

Posted: Wed Aug 02, 2006 9:03 am
by Ollie Saunders
Everah wrote:If it is really a concern, and you happen to use database driven content, you can always store in your database what the calling page was based on the page you are on. I do this on a couple of sites, so I always know the page the user is on and the page they came from (within my site).
You may find it easier to use sessions.
jmut wrote:You should not really be concerned where data comes from. You just need to validate it properly and use it accordingly.
Well said.

Posted: Wed Aug 02, 2006 9:05 am
by RobertGonzalez
ole wrote:
Everah wrote:If it is really a concern, and you happen to use database driven content, you can always store in your database what the calling page was based on the page you are on. I do this on a couple of sites, so I always know the page the user is on and the page they came from (within my site).
You may find it easier to use sessions.
I do. I database my sessions with my own session code. Page trails are maintained in my sessions table.

Posted: Wed Aug 02, 2006 9:22 am
by Ollie Saunders
Well of course you would Everah, you are a 1337 4aXX0r, but siong1987 may just use the bog standard default session handling and find that sufficent for his requirements.

Posted: Wed Aug 02, 2006 9:30 am
by RobertGonzalez
Doh! Now I get who you were talking to. I think.

And what in the name of all that is good about pizza is 1337 4aXX0r?!?!?!? I feel so clueless.Image

Posted: Wed Aug 02, 2006 9:34 am
by feyd
1337 4aXX0r > leet haxxor > elite hacker

but that's off topic.
ImageImage