On Friday 13 August 2004 02:57 pm, Gerard Samuel wrote: > I've read (at least on 2 occasions) that one can secure their forms, to > ensure that the form came from the site, and not via a script kiddie. > Not the method where one puts a graphic of random text to copy to the > form, but via a hidden field. > It has to do with having a hidden field of data, that must match some > data, when the form is posted. > I've been mulling over this for some time to figure out how its > possible, (as I haven't seen a live example of it). > Could anyone point me to an example to how this can be done, (if its > even possible)??? > Thanks for your input...
I think you're looking for something like this, but be warned things like HTTP_REFERER are/can be set by the client so you can't really trust this too much. if ($_SERVER['HTTP_REFERER'] != 'http://domain.com/I/AM/EXPECTING/script.php') { echo ("Dang Script Kiddie Go Away!"); exit; } Probably better is to include, like you said, a hidden variable on the page that would be very hard to guess in the form before presenting it to the user and also save it in a database or somewhere. Then when the user submits the form check your database for the existence of the super hard to guess value. If it exists in the DB, delete it and let the user go about her business. If it doesn't then: { echo ("Dang Script Kiddie Go Away!"); exit; } James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
