Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.
Hello.
I always wanted to ask this ....
HOW CAN BE SURE that the values submited from the proper FORM/PAGE ???
What i mean:
Lets say that i want to use a form that submits infos to the same page...
Long answer: You can check that the HTTP_REFERER variable refers to the script that you're expecting the input to come from, but it's not very reliable. Browsers don't have to pass it, so someone can be a legitimate user and still have an empty referer. Also, if someone is especially determined they can fake the referer. It's barely worth the effort of checking it.
Another approach is to add a hidden variable to the form with a random value, and store the same value in the user's session when the form is sent to the user. If the input comes back without the right value you can ignore the form. That approach relies on using sessions though, if your site doesn't then it won't work.
Whatever the case, never trust the incoming data. Always validate it.
Thnx both.
Of Caurse ALL User Input MUST VALIDATED...
But i asked this cause i plan , each time that this kind of EXTRA PROTECTION fail ,
To..
1st)Log-OUT the USER(since in my case ONLY registered Users Can POST Infos)
2nd) Temp-Bann the IP
3rd)E-mail security ADMIN that something goes wrong..
4th) Can you think something more ???
I m planing this for MORE extra security....AND TO DELAY THE ATTACKER !!!
Now what about in PHP 6. They've added a GOTO and COMEFROM statement (which I know from Pascal...oh joy), but will that work cross page? Does anyone know?