Ensuring pages are submitted by my page not another location

[Chips]

Trying to stop someone making their own page submit to my servers page - ie if I have a validation.php, and I have a login.php or register.php that processes the form to validation.php (or maybe if it processes it to itself) - i wish to prevent someone from running a script that processes [i]their[/i] form on [i]their[/i] server from submitting to [i]my[/i] validation.php page.

Essentially I have some select fields with values, obviously the input is only of what I devise, so I never did any error checking upon it at this time. Now, obviously, I should - but I also wish to check where the data is coming from, to prevent others from trying to submit to my page.

Does this make any sense?
I noted http_reffer from http://uk.php.net/reserved.variables BUT it does mention that this shouldn't be trusted explicitly. Anyone have any suggestions?

[play_]

Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.

[GingerRobot]

Basically, the only way to make form data 100% reliable is to thoroughly check it. Although http_reffer could be used, it will cause problems as some firewalls prevent if from being sent and browsers can be configured so that it is not sent. It can also be faked.

[Chips]

[quote author=play_ link=topic=100027.msg394304#msg394304 date=1152524672]
Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.
[/quote]

Hehe, thanks - I did consider sessions, but I have another thing that checks the URL entered whenever a page is loaded for things like SELECT ' UNION LIKE etc... all of which don't exist in my site, so would indicate a possible/potential attack. Was hoping there maybe some generic solution I could similarly apply to every page with just a lil bit of coding in the index.php (as everything "goes through" that anyway) that would do similiar.

Robots right though, http_reffer isn't reliable enough to be used, at which point I was kind of floundering :P I'll go with the sessions idea unless anyone else can chip in - so many thanks in advance.

[AV1611]

Create a session and a session variable that is = to the hash of a word, then verify the session and correct hash are used...
they have to know the word and the type of hash to come from a foreign script

[GingerRobot]

I could be wrong, but even with sessions this still could be exploited. For instance, say your person opens the page with the form on in one window. The session will be created. They then modify the source of the form in another, and link to your validation. The session will exist so the modified form will be checked.

[AV1611]

Well, i'm in over my head, but I always create my session at index.php then I create a variable for each page at the page it comes from... I'm not a hacker, but I don't know if they can inject, but I feel fairly safe...

I don't do stuff with money, though, mostly corp intranet stuff... and I live in West Virginia, where the average IQ is like 80 - which is how I got to be an IT Manager... I knew where the power button was, and, well, they were impressed by my working knowledge...  (I'm an Cali Transplant)  :P

[Daniel0]

You really can't check if form data really is sent from your page. It doesn't even matter as you can change the page by sending JavaScript from the address bar, and you can tamper the data that is being sent from your page. The user will always (unless they've got some spy-/adware or a virus) be in control of the data they send in the browser.

[redarrow]

just add a random number that the user on your site got to enter to get the informtion they want.

that way if a user is using your form  there got 1 in billon to get it right.

good luck.