RE: [PHP] Form help
You could have a check for the HTTP_REFERER variable, if it doesn't contain "application.php", chances are they didn't come from that page. There might be a neater way to do it, but I don't know it :-) HTH Jon -Original Message- From: Good Fella [mailto:[EMAIL PROTECTED]] Sent: 22 March 2001 14:34 To: [EMAIL PROTECTED] Subject: [PHP] Form help Hi All, I currently have a small problem with my PHP form. I have made two PHP files (application.php and process_application.php). On submitting the form, you then move to process_application.php. Any errors will force the form NOT to be submitted to me. However, how do I stop people from accessing process_application.php directly? You can still type in the URL of this address without filling in any details. Although it serves up an error, is there anyway I can prevent people from getting to this page unless they press "Submit" on the actual form on application.php? Thanks, SK _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form help
A common way is to add a check for the pressing of the submit button, so assuming : input type="submit" name="submit" value="submit me!" if ( isset($submit) ) { // process form } else { echo 'oh dear, you did not use form.'; } I usually use a hidden field instead as at times the submit button can be "skipped" as the user presses enter vs. clicks the button, not sure what browsers or setups allow this behavior but some do (maybe someone can expand on this thought). So, try something like : input type="hidden" name="form_submitted" value="1" if ( $form_submitted == true ) { That should do the job. Also doing an is_array check somewhere in there works if the form names are an array, like : input type="text" name="form[username]" input type="text" name="form[password]" Other considerations apply but if $form is an array then most likely the user used the form. So : if ( is_array($form) ) { Regards, Philip Olson http://www.cornado.com/ On Thu, 22 Mar 2001, Good Fella wrote: Hi All, I currently have a small problem with my PHP form. I have made two PHP files (application.php and process_application.php). On submitting the form, you then move to process_application.php. Any errors will force the form NOT to be submitted to me. However, how do I stop people from accessing process_application.php directly? You can still type in the URL of this address without filling in any details. Although it serves up an error, is there anyway I can prevent people from getting to this page unless they press "Submit" on the actual form on application.php? Thanks, SK _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Form help
You could have a check for the HTTP_REFERER variable, if it doesn't contain "application.php", chances are they didn't come from that page. it's not a good idea to rely on $HTTP_REFERER for anything, and especially for this. a referer is only reported when the user follows a hyperlink, so in the hypothetical case given there would be no referer. Isn't that the point? If there's no referer, they didn't come from the first page, so you send them back there. I could be completely wrong here - is HTTP_REFERER empty following a form submission, even if it's to a different page? what you need to do is combine your two scripts, which is really a neater way handling forms anyway. point your form action to the same page ($PHP_SELF works really well for this, since you can rename the file and it will still run properly), and then add the following code to the top of your application.php file if($GLOBALS["REQUEST_METHOD"] == "POST") { include("process_application.php"); exit; } This is how I would handle it personally, but then he'd mentioned having two pages, so.. Cheers Jon ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Form help
not all browsers support the referrer or some people use software to block that, so that method is unreliable... the only way to do this is with a token. that is time sensitive from the database, even then there is no method that is hackproof. Rick At 03:41 PM 3/22/01 +, Jon Haworth wrote: You could have a check for the HTTP_REFERER variable, if it doesn't contain "application.php", chances are they didn't come from that page. it's not a good idea to rely on $HTTP_REFERER for anything, and especially for this. a referer is only reported when the user follows a hyperlink, so in the hypothetical case given there would be no referer. Isn't that the point? If there's no referer, they didn't come from the first page, so you send them back there. I could be completely wrong here - is HTTP_REFERER empty following a form submission, even if it's to a different page? what you need to do is combine your two scripts, which is really a neater way handling forms anyway. point your form action to the same page ($PHP_SELF works really well for this, since you can rename the file and it will still run properly), and then add the following code to the top of your application.php file if($GLOBALS["REQUEST_METHOD"] == "POST") { include("process_application.php"); exit; } This is how I would handle it personally, but then he'd mentioned having two pages, so.. Cheers Jon ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] ## # Rick St Jean, # [EMAIL PROTECTED] # President of Design Shark, # http://www.designshark.com/ # Quick Contact: http://www.designshark.com/messaging.ihtml # Tel: 905-684-2952 ## -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form help
why don't you check to see is a variable was passed to the page. If you use the post method then a hidden field can be used o check that the user did come from the application page. a sample of the check will be if(!$var_from_previous_page) { header("location: application.php"); } -- On Thu, 22 Mar 2001 14:34:21 Good Fella wrote: Hi All, I currently have a small problem with my PHP form. I have made two PHP files (application.php and process_application.php). On submitting the form, you then move to process_application.php. Any errors will force the form NOT to be submitted to me. However, how do I stop people from accessing process_application.php directly? You can still type in the URL of this address without filling in any details. Although it serves up an error, is there anyway I can prevent people from getting to this page unless they press "Submit" on the actual form on application.php? Thanks, SK _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] Get 250 color business cards for FREE! at Lycos Mail http://mail.lycos.com/freemail/vistaprint_index.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]