that should work. perhaps you didn't show it, but for the first block of code, you don't have session_start(); The session variables really don't help you. Anyone can go to the page once, without submitting the form, and the session variables will be set. They can then navigate to another domain and from there submit data to your index2.php page. The session variables will be preserved across navigation outside your domain. I know because I have tested it. By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. One way to protect from this sort of hacking is to use HTTP_REFERRER. This is not set on a lot of sites, and I do not even know how to make sure it gets set on my site. What I do know is that if it is set, you can then make sure whoever submits data is coming from your site by checking that HTTP_REFERRER is set to your domain. Another way is to use .htaccess Put all your receiving pages, such as index2.php, into a directory with a .htaccess file that blocks access from outside your domain.