How do I Secure my url with php with out sessions?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

How do I Secure my url with php with out sessions?

Post by cap2cap10 »

:? Greetings php technorati,

I want users to be directed to a certain form after they pay for services through a third party website, on my site.
How would I block someone from just saving the form.php which would allow a different user to register themselves to
my members area? Remember this is the registration form, the user has not been assigned a user ID or any information. How would I make sure that the person using that form.php came from the third party payment site.

with or with out starting a session?

Can I use sessions to verify the site the user just came from or is there another way?


Please enlighten me!

Batoe
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Re: How do I Secure my url with php with out sessions?

Post by shiznatix »

check the referrer in the $_SERVER superglobal. If it is from the referring site that you want to allow registration from, process the information. Otherwise die() with some witty error message. If you need help with that message the people on these boards just may be able to help you. I would do something like display goatse or whatever but that may be just too mean for some people.

As for the PHP stuff, check out what you get when you do this:

Code: Select all

echo '<pre>';print_r($_SERVER);echo '</pre>';
find the referrer thing and use that to your advantage.
koen.h
Forum Contributor
Posts: 268
Joined: Sat May 03, 2008 8:43 am

Re: How do I Secure my url with php with out sessions?

Post by koen.h »

shiznatix wrote:check the referrer in the $_SERVER superglobal. If it is from the referring site that you want to allow registration from, process the information. Otherwise die() with some witty error message. If you need help with that message the people on these boards just may be able to help you. I would do something like display goatse or whatever but that may be just too mean for some people.

As for the PHP stuff, check out what you get when you do this:

Code: Select all

echo '<pre>';print_r($_SERVER);echo '</pre>';
find the referrer thing and use that to your advantage.
The referrer can be manipulated. So it's not 100% secure.
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

Re: How do I Secure my url with php with out sessions?

Post by cap2cap10 »

How about this nifty little function:

Code: Select all

[color=#4000FF]<?php
 
function check_previous($foobar= getenv('HTTP_REFERER'))
 {
 
 if ($foobar != 'www.2checkout.com/checkout/...')
  {
Header('Location: http://www.myhomepage.php');
  }
 
 }
?>[/color]
 
will this work?

This should certify that the user came from my third party credit card validation site, right or wrong? If I place this at the top of the code, this should automatically redirect them to my homepage, right?

Please enlighten this novice

Batoe
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: How do I Secure my url with php with out sessions?

Post by matthijs »

Http_referrer can be manipulated. You can't use that to verify were the user came from. Almost anything in the HTTP_* group can contain user input
Post Reply