RE: [PHP] Form help
You could have a check for the HTTP_REFERER variable, if it doesn't contain "application.php", chances are they didn't come from that page. There might be a neater way to do it, but I don't know it :-) HTH Jon -Original Message- From: Good Fella [mailto:[EMAIL PROTECTED]] Sent: 22 March 2001 14:34 To: [EMAIL PROTECTED] Subject: [PHP] Form help Hi All, I currently have a small problem with my PHP form. I have made two PHP files (application.php and process_application.php). On submitting the form, you then move to process_application.php. Any errors will force the form NOT to be submitted to me. However, how do I stop people from accessing process_application.php directly? You can still type in the URL of this address without filling in any details. Although it serves up an error, is there anyway I can prevent people from getting to this page unless they press "Submit" on the actual form on application.php? Thanks, SK _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] ** 'The information included in this Email is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise is not intended to waive privilege or confidentiality' ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form help
A common way is to add a check for the pressing of the submit button, so
assuming :
input type="submit" name="submit" value="submit me!"
if ( isset($submit) ) {
// process form
} else {
echo 'oh dear, you did not use form.';
}
I usually use a hidden field instead as at times the submit button can be
"skipped" as the user presses enter vs. clicks the button, not sure what
browsers or setups allow this behavior but some do (maybe someone can
expand on this thought). So, try something like :
input type="hidden" name="form_submitted" value="1"
if ( $form_submitted == true ) {
That should do the job. Also doing an is_array check somewhere in there
works if the form names are an array, like :
input type="text" name="form[username]"
input type="text" name="form[password]"
Other considerations apply but if $form is an array then most likely the
user used the form. So :
if ( is_array($form) ) {
Regards,
Philip Olson
http://www.cornado.com/
On Thu, 22 Mar 2001, Good Fella wrote:
Hi All,
I currently have a small problem with my PHP form. I have made two PHP
files (application.php and process_application.php).
On submitting the form, you then move to process_application.php. Any
errors will force the form NOT to be submitted to me.
However, how do I stop people from accessing process_application.php
directly? You can still type in the URL of this address without filling in
any details.
Although it serves up an error, is there anyway I can prevent people from
getting to this page unless they press "Submit" on the actual form on
application.php?
Thanks,
SK
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Form help
You could have a check for the HTTP_REFERER variable, if it doesn't
contain "application.php", chances are they didn't come from that page.
it's not a good idea to rely on $HTTP_REFERER for anything, and especially
for this. a referer is only reported when the user follows a hyperlink, so
in the hypothetical case given there would be no referer.
Isn't that the point? If there's no referer, they didn't come from the first
page, so you send them back there. I could be completely wrong here - is
HTTP_REFERER empty following a form submission, even if it's to a different
page?
what you need to do is combine your two scripts, which is really a neater
way handling forms anyway. point your form action to the same page
($PHP_SELF works really well for this, since you can rename the file and
it will still run properly), and then add the following code to the top
of your application.php file
if($GLOBALS["REQUEST_METHOD"] == "POST") {
include("process_application.php");
exit;
}
This is how I would handle it personally, but then he'd mentioned having two
pages, so..
Cheers
Jon
**
'The information included in this Email is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee,
any disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise is not intended to waive privilege or confidentiality'
**
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Form help
not all browsers support the referrer or some people use software to block
that,
so that method is unreliable... the only way to do this is with a token.
that is time
sensitive from the database, even then there is no method that is hackproof.
Rick
At 03:41 PM 3/22/01 +, Jon Haworth wrote:
You could have a check for the HTTP_REFERER variable, if it doesn't
contain "application.php", chances are they didn't come from that page.
it's not a good idea to rely on $HTTP_REFERER for anything, and especially
for this. a referer is only reported when the user follows a hyperlink, so
in the hypothetical case given there would be no referer.
Isn't that the point? If there's no referer, they didn't come from the first
page, so you send them back there. I could be completely wrong here - is
HTTP_REFERER empty following a form submission, even if it's to a different
page?
what you need to do is combine your two scripts, which is really a neater
way handling forms anyway. point your form action to the same page
($PHP_SELF works really well for this, since you can rename the file and
it will still run properly), and then add the following code to the top
of your application.php file
if($GLOBALS["REQUEST_METHOD"] == "POST") {
include("process_application.php");
exit;
}
This is how I would handle it personally, but then he'd mentioned having two
pages, so..
Cheers
Jon
**
'The information included in this Email is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee,
any disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise is not intended to waive privilege or
confidentiality'
**
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
##
# Rick St Jean,
# [EMAIL PROTECTED]
# President of Design Shark,
# http://www.designshark.com/
# Quick Contact: http://www.designshark.com/messaging.ihtml
# Tel: 905-684-2952
##
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form help
why don't you check to see is a variable was passed to the page. If you use the post
method then a hidden field can be used o check that the user did come from the
application page.
a sample of the check will be
if(!$var_from_previous_page)
{
header("location: application.php");
}
--
On Thu, 22 Mar 2001 14:34:21
Good Fella wrote:
Hi All,
I currently have a small problem with my PHP form. I have made two PHP
files (application.php and process_application.php).
On submitting the form, you then move to process_application.php. Any
errors will force the form NOT to be submitted to me.
However, how do I stop people from accessing process_application.php
directly? You can still type in the URL of this address without filling in
any details.
Although it serves up an error, is there anyway I can prevent people from
getting to this page unless they press "Submit" on the actual form on
application.php?
Thanks,
SK
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Get 250 color business cards for FREE! at Lycos Mail
http://mail.lycos.com/freemail/vistaprint_index.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
