Jump to content
xisto Community
Sign in to follow this  
galexcd

$_post Help little help

Recommended Posts

Hi, how do i check if the variable is comming from the same server as the page? Example, lets say i have a log in...the page it submits to says somthing like this:$user=$_POST['user'];$pass=$_POST['pass'];how do i make sure that sombody didnt make their own form on their computer, or somthing, to submit the info to my site? I only want submitions from MY site... not sombody else... Thanks!!

Share this post


Link to post
Share on other sites

well you can make your own forms in php that will be directed from your site to your email. what I suggest is go to pixel2life.com to read up on some of those tutorials and try them out. also search php form scripts as well which should help oyu even more.But im not aware of people making their own form scripts and then emailing it to you that would be a waste of time and could lead into spamming as well.

Share this post


Link to post
Share on other sites

What I think Tyssen means is that in your form you should include a hidden field that has the server address (or some other identifying characteristic) and compare it to your actual server address.

<form action = "wherever.php" method = "post"> 	  [All of your form fields]	  <input type="hidden" name = "sendingIP" value = "<?php echo "$_SERVER['SERVER_ADDR']" ?></form>

And then in your second php page you can check
if($_POST['sendingIP'] != $_SERVER['SERVER_ADDR']")	echo "This form was submitted from the wrong server."else	//do stuff

However, something like the server IP address can also be faked. I'd suggest using sessions instead. A fair session tutorial's at http://forums.xisto.com/no_longer_exists/

Share this post


Link to post
Share on other sites

I have been playing around the similar call with GFXTrap.com and I am using $something = $_REQUEST["variable"] as my required input before submitting.As I understand it, $_POST[ ] accepts no matter what when submit button is pressed. Using $_REQUEST allows to place Boolean condition before submitting.

Share this post


Link to post
Share on other sites

I'm not sure how easy this can be faked, but one thing you can do is to use $_SERVER['HTTP_REFERER'] and use a string comparison function (like strstr()).
An example could be:

if(!strstr('YOUR_WEBSITE_URL') {echo "Error: Incorrect Server!";}else {//Your form stuff here}
You would need to replace YOUR_WEBSITE_URL with your site's URL, obviously. I'm not sure if browser HTTP Refers can be disabled in the browser (I think they can), but that may be one of the best options. That's about the only way I would know how to do it.

Share this post


Link to post
Share on other sites

There isn't really a way you can be 100% certain the form data wasn't faked. Referer, cookie and POST data can very easily be sent in a manipulated form. For example, I could forge headers along these lines and send it to your server, and it would be none the wiser:

 

POST /script.php HTTP/1.1Accept: */*Connection: closeHost: your-host.comReferer: http://your-host.com/page.htmlCookie: fake-cookie=fake-cookie-data;xxx-type: application/x-www-form-urlencodedContent-Length: 3abc

(Note that xxx = Content - IPB is filtering it out).

 

A session ID can also be easily captured prior to submitting the data (it will most likely be sent either via a cookie, or attached to links), and then be posted along with it. Simply put, and just to re-iterate, there is no 100% certain way you can be sure form data is coming from a page on your server.

Edited by Spectre (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.