Better (though still theoretically spoofable) would be to include a random
number/string in a hidden field, store that number in the session, and check
to see that the number returned in the form is the same as what is expected
for that session. It's theoretically possible that someone could hijack the
session and return a forged page with the correct id, but it still ought to
be better than $HTTP_REFERER which can be easily spoofed once the 'attacker'
knows what is expected to be returned.
I've used a variant on this theme to provide a reasonably secure login to a
web application without using SSL. Store passwords as md5 hashes in db.
Send random number along with login. md5 the user's password client-side,
then hash that + the number and return that as the password variable (no
plaintext password over the network). On the server side, md5 the hashed
password from the database + the random number stored in the session.
Compare this value with the returned value & if they match you've got a
successful login.
- Theo
-----Original Message-----
From: André Pasold [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 04, 2002 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: checking if is FORM is POSTED
The variable $HTTP_REFERER will tell you the origin of the request.
So you can check it with:
if (EREG('xxx.php$',$HTTP_REFERER)) { //only look for the name file
//process data
}
------ or -------
if ($HTTP_REFERER=='www.yyy.com/path/xxx.php') { //look for the entire url
//process data
}
*** where xxx.php is the url of the form source
Hope it can help you any way.
"Matt Babineau" <[EMAIL PROTECTED]> escreveu na mensagem
000d01c29af0$77e6d400$0210a8c0@webdevx">news:000d01c29af0$77e6d400$0210a8c0@webdevx...
> What is the best way to check if a form is posted so people can't post
> to my forms? I want to make sure that the post is coming from the right
> page and that it is indeed a post operation.
>
> Thx,
> Matt
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
