Jump to content


Photo

Secure Registration Form Page


  • Please log in to reply
2 replies to this topic

#1 jimuaw2400

jimuaw2400
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 09 June 2006 - 09:15 PM

I'm sort of new to PHP. I can install scripts and minor PHP debugging.
But I just seem to be having a tough time figuring out how to keep my
registration form page from being passed around.

After someone pays for access to a member area and they are sent to
the registration page, what code can I put on the php registration page
to keep them from bookmarking it or using the URL again. I though maybe
using token and/or valid referrers but I'm lost on how to do it.

I found some php code but I'm not sure if it is valid for my need. It is
just partial. I'm not sure how to call it or use it.

----------------------

<?php
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: Mon,26 Jul 1997 05:00:00 GMT");
/* turn off error reporting */
error_reporting(0);
/* valid referrers */
/*$referers = array ('domain.com');*/
/* verify that the script is being called from a valid referrer */
function check_referer($referers) {
if (count($referers)) {
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];

for ($x=0; $x < count($referers); $x++) {

if (eregi ($referers[$x], $referer)) {
$found = true;
}

}

if (!getenv("HTTP_REFERER"))
$found = false;

if (!$found){
error_log("[index.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
header ("Location: [a href=\"http://www.mymaker.com/Illegal_Referrer");\" target=\"_blank\"]http://www.mymaker.com/Illegal_Referrer");[/a] /* /Illegal_Referrer */
echo 'You are coming from an unauthorized domain.';
}

return $found;

} else {
echo 'You are coming from here.';
return true;
}
}
?>

---------------------------

Any help would be appreciated.

Thanks,

Jim

#2 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 09 June 2006 - 11:19 PM

The first thing I've noticed was the HTTP_REFERER. Never rely on this variable. It is easily changeable and some browsers, firewalls, proxies and alikes will not send it. This will cause hassle to legit users and still leave your script vulnerable.

Now, to the tokens. You must generate tokens and store them in some database. Then, once the script is executed see if the token is valid. After the execution, delete the token.
~ D Kuang

#3 jimuaw2400

jimuaw2400
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 09 June 2006 - 11:30 PM

Any ideas for a script I can use or where I can find one?

I'd really like to find a solution to this problem.

Thanks for all the help on this forum.

Jim




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users