spfoonnewb Posted August 10, 2006 Share Posted August 10, 2006 Hi, Im trying to make a form that can only be submitted by that form - Basically the user can put an input and click submit and the form will process, but I dont want the user to be able to copy the URL after the process and access it directly I want it to display an error... Is there a way to do this even with globals on?So basically like:If the form was submitted from the forms name or a defined variable....Then proccess it, else display an error...Or if the address was accessed directly by URL, and not from being submitted by the form display an error. Quote Link to comment Share on other sites More sharing options...
bltesar Posted August 10, 2006 Share Posted August 10, 2006 If you're using the POST method for your form, do this-[code]if(!isset($_POST)){ //print your error message, or redirect, or whatever}else{ //process the inputs}[/code]for the GET method, replace $_POST with $_GET Quote Link to comment Share on other sites More sharing options...
spfoonnewb Posted August 10, 2006 Author Share Posted August 10, 2006 Well its an HTML page, that just has <?php echo '$we'; ?>If its not posted I just want to kill the page.... So now that you gave me that I can provide an example..[code]<?phpif(!isset($_POST)){die('You cannot access this page directly');}else{//Load the page}?>[/code]But it doesnt work-- also if there is a way to attach it to an array before the page is loaded that would be cool, heres the array: [code]<?php $pages = array( '1' => 'includes/submit.php', ); if (isset($_GET['id']) && isset($pages[$_GET['id']])) { include($pages[$_GET['id']]); } else { echo 'The page cannot be displayed'; }?>[/code] Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted August 10, 2006 Share Posted August 10, 2006 on the page that you are trying to prevent direct access to, you can set 3 variables. That only you know. Alright, now set them as sessions, from the previous page. For instance on the page with the form set like 3 special sessions, WITH 3 special words.$_SESSION['variable1'] == "Special Word";session 2session 3on the other page you want to be careful on access at the very top put<?phpsession_start();if ($_SESSION['variable1'] == "whatever" && $_SESSION['variable2'] == "whatever" && $_SESSION['variable3'] == "whatever") {?>entire page hereat the bottom put<?php}?>ONLY people coming from that form can gain access. That way you are sure of it, only ones coming directly from that form will have a chance of getting to that page. Quote Link to comment Share on other sites More sharing options...
spfoonnewb Posted August 10, 2006 Author Share Posted August 10, 2006 Well sessions are disabled on my server due to some problems I had with them. (I even turned em on the test this)So couldnt I just make a hidden form input on the previous page and then have some kind of string that checks if it was there or not... and if its not there to kill the page or w/e? Quote Link to comment Share on other sites More sharing options...
bltesar Posted August 10, 2006 Share Posted August 10, 2006 from what you wrote, it seems your form is using the GET method, so try what I wrote earlier, replacing $_POST with $_GET. Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted August 10, 2006 Share Posted August 10, 2006 Are you trying to keep someone from getting to the page if they don't come from the form, You won't do that with just checking for isset post or get, because if someone uses another form to get to your page, it'll still be from post or get all they have to do is change that. You can do 2 other things, but a hidden form field they can see, and just put on there other form anyway it's a waste of time.You can use http referer to check where the url is coming from and only accept it if it's coming from that specific url. PLus use the 3 variables to make sure. Quote Link to comment Share on other sites More sharing options...
spfoonnewb Posted August 10, 2006 Author Share Posted August 10, 2006 Either way I cannot get that to work -[code]<form action="index2.php" method="POST"><?php$_SESSION['variable1'] == "one";$_SESSION['variable2'] == "two";$_SESSION['variable3'] == "three";?><input type="text" name="a"><P><input type="submit"></form>[/code][code]<?phpsession_start();if ($_SESSION['variable1'] == "one" && $_SESSION['variable2'] == "two" && $_SESSION['variable3'] == "three") {?><?php echo "$a"; ?><?php}?>[/code] Quote Link to comment Share on other sites More sharing options...
bltesar Posted August 11, 2006 Share Posted August 11, 2006 that should work. perhaps you didn't show it, but for the first block of code, you don't have session_start();The session variables really don't help you. Anyone can go to the page once, without submitting the form, and the session variables will be set. They can then navigate to another domain and from there submit data to your index2.php page. The session variables will be preserved across navigation outside your domain. I know because I have tested it. By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. One way to protect from this sort of hacking is to use HTTP_REFERRER. This is not set on a lot of sites, and I do not even know how to make sure it gets set on my site. What I do know is that if it is set, you can then make sure whoever submits data is coming from your site by checking that HTTP_REFERRER is set to your domain.Another way is to use .htaccess Put all your receiving pages, such as index2.php, into a directory with a .htaccess file that blocks access from outside your domain. Quote Link to comment Share on other sites More sharing options...
AndyB Posted August 11, 2006 Share Posted August 11, 2006 How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself? Checking for isset($_POST['submit']) would let you bypass the processing on arrival.[code]<?phpif (isset($_POST['submit')) {// process form data} else {?><form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST"><input type="text" name="a"><P><input type="submit" name="submit"></form><?php}?>[/code] Quote Link to comment Share on other sites More sharing options...
spfoonnewb Posted August 11, 2006 Author Share Posted August 11, 2006 Im going to try session start first, I didnt think about that, anyway:[quote]The session variables really don't help you. Anyone can go to the page once, without submitting the form, and the session variables will be set. They can then navigate to another domain and from there submit data to your index2.php page. The session variables will be preserved across navigation outside your domain. I know because I have tested it. By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. [/quote] Sessions on my server are set to reset as soon as the browser is closed.Isnt there a way I can automatically kill the session after they get to the second page?[quote]How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself? Checking for isset($_POST['submit']) would let you bypass the processing on arrival.[/quote]That wouldnt work because my site has been around for quite some time and the pages already exist - meaning people (who know) still could get past that.The form is less submiting, but it's showing users thier submitted data, in a pre-built format. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.