$_post Help little help

[galexcd 0]

Hi, how do i check if the variable is comming from the same server as the page? Example, lets say i have a log in...the page it submits to says somthing like this:$user=$_POST['user'];$pass=$_POST['pass'];how do i make sure that sombody didnt make their own form on their computer, or somthing, to submit the info to my site? I only want submitions from MY site... not sombody else... Thanks!!

[Tyssen 0]

You could use one of PHP's reserved variables - http://au.php.net/reserved.variables - to make sure the script has been submitted from your site.

[galexcd 0]

Not to be annoying or anything, but im a little new to PHP could you give me an examplethanks!

[Saint_Michael 3]

well you can make your own forms in php that will be directed from your site to your email. what I suggest is go to pixel2life.com to read up on some of those tutorials and try them out. also search php form scripts as well which should help oyu even more.But im not aware of people making their own form scripts and then emailing it to you that would be a waste of time and could lead into spamming as well.

[WindAndWater 0]

What I think Tyssen means is that in your form you should include a hidden field that has the server address (or some other identifying characteristic) and compare it to your actual server address.

<form action = "wherever.php" method = "post"> 	  [All of your form fields]	  <input type="hidden" name = "sendingIP" value = "<?php echo "$_SERVER['SERVER_ADDR']" ?></form>

And then in your second php page you can check

if($_POST['sendingIP'] != $_SERVER['SERVER_ADDR']")	echo "This form was submitted from the wrong server."else	//do stuff

However, something like the server IP address can also be faked. I'd suggest using sessions instead. A fair session tutorial's at http://forums.xisto.com/no_longer_exists/

[BuffaloHelp 24]

I have been playing around the similar call with GFXTrap.com and I am using $something = $_REQUEST["variable"] as my required input before submitting.As I understand it, $_POST[ ] accepts no matter what when submit button is pressed. Using $_REQUEST allows to place Boolean condition before submitting.

[Hamtaro 0]

I'm not sure how easy this can be faked, but one thing you can do is to use $_SERVER['HTTP_REFERER'] and use a string comparison function (like strstr()).
An example could be:

if(!strstr('YOUR_WEBSITE_URL') {echo "Error: Incorrect Server!";}else {//Your form stuff here}

You would need to replace YOUR_WEBSITE_URL with your site's URL, obviously. I'm not sure if browser HTTP Refers can be disabled in the browser (I think they can), but that may be one of the best options. That's about the only way I would know how to do it.

[galexcd 0]

Thanks so much all of you!!! especially windandwater!All your help has been greatly appriciated!

[Spectre 0]

There isn't really a way you can be 100% certain the form data wasn't faked. Referer, cookie and POST data can very easily be sent in a manipulated form. For example, I could forge headers along these lines and send it to your server, and it would be none the wiser:

 

POST /script.php HTTP/1.1Accept: */*Connection: closeHost: your-host.comReferer: http://your-host.com/page.htmlCookie: fake-cookie=fake-cookie-data;xxx-type: application/x-www-form-urlencodedContent-Length: 3abc

(Note that xxx = Content - IPB is filtering it out).

 

A session ID can also be easily captured prior to submitting the data (it will most likely be sent either via a cookie, or attached to links), and then be posted along with it. Simply put, and just to re-iterate, there is no 100% certain way you can be sure form data is coming from a page on your server.

Edited April 9, 2006 by Spectre (see edit history)