You cannot be 100% certain that any server served the form when you receive the form data, from information in the request itself. The HTTP protocol does not support that kind of thing, what you're wanting is the referrer not the request_uri and yes indeed it can be faked, that's the problem.
Best way is to validate the data that it's 100% ok and not care what form it came from. Or use some form of user authentication or session system, etc. it depends on your situation. Dave ----- Original Message ----- From: "Günter Knauf" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 24, 2002 6:49 AM Subject: Re: stupid question? > Hi Thomas, > >> are the server-side vars generated by the server or only echoed vars > >> which where provided by the browser?? > >> specially REQUEST_URI is of interest for me for security purposes in > >> scripts, so is it generated from Apache self or can it be faked by the > >> client? > > > In 1.3 it looks like it's set from the original request, but to be able > > to fake it they can't call your script (right?) > f.e. I have a perl mailscript which should only accept formdata from a form which was served by my host, so I want to check in the script if REQUEST_URI is from my own host or probably comes from a locally stored and modified form... > so any other ideas what I can check to be 100% sure that the form was served by my server? > > Guenter. >
