Hi there -- I've got what's probably a relatively easy question to answer.
Is there any way I can prevent a php document page from processing a form if it is submitted from somewhere other than my own site?
That is to say, if somebody creates their own document on an outside server, and uses action="mydomain.com/myscript.php", how can I detect that from within my script, so I can refuse to process the input?
Thanks,
El Perezoso
Putting limits on form submissions
Moderator: General Moderators
-
ElPerezoso
- Forum Newbie
- Posts: 2
- Joined: Fri Apr 25, 2003 7:25 pm
Afaik you can't stop forged forms.
But you can make the submitted POST vars safe. If POST vars are to be stored in a database and later echo'd out in a browser:
htmlspecialchars(addslashes(trim($_POST['var'])))
If you declare POST vars in foreach loops or with the extract() function you also have to take account of forged submissions by adding a prefix to the var name. If you don't, a forged form can submit a new variable which you weren't expecting from the form and this would overwrite a var in your script if:
(a) you have a (genuine) variable with the same name as the forged POST var
AND
(b) your variable is in the same scope as the foreach / extract lines and was declared prior to these
But you can make the submitted POST vars safe. If POST vars are to be stored in a database and later echo'd out in a browser:
htmlspecialchars(addslashes(trim($_POST['var'])))
If you declare POST vars in foreach loops or with the extract() function you also have to take account of forged submissions by adding a prefix to the var name. If you don't, a forged form can submit a new variable which you weren't expecting from the form and this would overwrite a var in your script if:
(a) you have a (genuine) variable with the same name as the forged POST var
AND
(b) your variable is in the same scope as the foreach / extract lines and was declared prior to these