Jump to content


Photo

Form submission


  • Please log in to reply
10 replies to this topic

#1 spfoonnewb

spfoonnewb
  • Members
  • PipPipPip
  • Advanced Member
  • 276 posts

Posted 10 August 2006 - 06:08 PM

Hi, Im trying to make a form that can only be submitted by that form -

Basically the user can put an input and click submit and the form will process, but I dont want the user to be able to copy the URL after the process and access it directly I want it to display an error... Is there a way to do this even with globals on?

So basically like:

If the form was submitted from the forms name or a defined variable....

Then proccess it, else display an error...

Or if the address was accessed directly by URL, and not from being submitted by the form display an error.


#2 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 10 August 2006 - 06:28 PM

If you're using the POST method for your form, do this-
if(!isset($_POST))
{
       //print your error message, or redirect, or whatever
}
else
{
       //process the inputs
}

for the GET method, replace $_POST with $_GET

#3 spfoonnewb

spfoonnewb
  • Members
  • PipPipPip
  • Advanced Member
  • 276 posts

Posted 10 August 2006 - 06:44 PM

Well its an HTML page, that just has <?php echo '$we'; ?>

If its not posted I just want to kill the page....
So now that you gave me that I can provide an example..

<?php
if(!isset($_POST))
{
die('You cannot access this page directly');
}
else
{
//Load the page
}
?>

But it doesnt work--

also if there is a way to attach it to an array before the page is loaded that would be cool, heres the array:

     
<?php
    $pages = array(
                '1' => 'includes/submit.php',
        );
           
            
            if (isset($_GET['id']) && isset($pages[$_GET['id']]))
                {
                    include($pages[$_GET['id']]);
                    } else {
                    echo 'The page cannot be displayed';
                }

?>


#4 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 10 August 2006 - 06:48 PM

on the page that you are trying to prevent direct access to, you can set 3 variables.  That only you know.  Alright, now set them as sessions, from the previous page.  For instance on the page with the form set like 3 special sessions, WITH 3 special words.

$_SESSION['variable1'] == "Special Word";
session 2
session 3
on the other page you want to be careful on access at the very top put
<?php
session_start();
if ($_SESSION['variable1'] == "whatever" && $_SESSION['variable2'] == "whatever" && $_SESSION['variable3'] == "whatever") {
?>
entire page here
at the bottom put
<?php
}
?>
ONLY people coming from that form can gain access.  That way you are sure of it, only ones coming directly from that form will have a chance of getting to that page.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#5 spfoonnewb

spfoonnewb
  • Members
  • PipPipPip
  • Advanced Member
  • 276 posts

Posted 10 August 2006 - 07:03 PM

Well sessions are disabled on my server due to some problems I had with them.
(I even turned em on the test this)

So couldnt I just make a hidden form input on the previous page and then have some kind of string that checks if it was there or not... and if its not there to kill the page or w/e?

#6 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 10 August 2006 - 07:42 PM

from what you wrote, it seems your form is using the GET method, so try what I wrote earlier, replacing $_POST with $_GET.

#7 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 10 August 2006 - 07:47 PM

Are you trying to keep someone from getting to the page if they don't come from the form, You won't do that with just checking for isset post or get, because if someone uses another form to get to your page, it'll still be from post or get all they have to do is change that.  You can do 2 other things, but a hidden form field they can see, and just put on there other form anyway it's a waste of time.
You can use http referer to check where the url is coming from and only accept it if it's coming from that specific url.  PLus use the 3 variables to make sure.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#8 spfoonnewb

spfoonnewb
  • Members
  • PipPipPip
  • Advanced Member
  • 276 posts

Posted 10 August 2006 - 11:03 PM

Either way I cannot get that to work -

<form action="index2.php" method="POST">
<?php
$_SESSION['variable1'] == "one";
$_SESSION['variable2'] == "two";
$_SESSION['variable3'] == "three";
?>
<input type="text" name="a">
<P>
<input type="submit">

</form>



<?php
session_start();
if ($_SESSION['variable1'] == "one" && $_SESSION['variable2'] == "two" && $_SESSION['variable3'] == "three") {
?>

<?php echo "$a"; ?>

<?php
}
?>


#9 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 11 August 2006 - 02:19 AM

that should work.  perhaps you didn't show it, but for the first block of code, you don't have session_start();

The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. 

One way to protect from this sort of hacking is to use HTTP_REFERRER.  This is not set on a lot of sites, and I do not even know how to make sure it gets set on my site.  What I do know is that if it is set, you can then make sure whoever submits data is coming from your site by checking that HTTP_REFERRER is set to your domain.

Another way is to use .htaccess  Put all your receiving pages, such as index2.php, into a directory with a .htaccess file that blocks access from outside your domain.

#10 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 11 August 2006 - 03:08 AM

How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.

<?php
if (isset($_POST['submit')) {
// process form data
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<input type="text" name="a">
<P>
<input type="submit" name="submit">

</form>
<?php
}
?>

Legend has it that reading the manual never killed anyone.
My site

#11 spfoonnewb

spfoonnewb
  • Members
  • PipPipPip
  • Advanced Member
  • 276 posts

Posted 11 August 2006 - 02:43 PM

Im going to try session start first, I didnt think about that, anyway:

The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. 



Sessions on my server are set to reset as soon as the browser is closed.
Isnt there a way I can automatically kill the session after they get to the second page?

How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.


That wouldnt work because my site has been around for quite some time and the pages already exist - meaning people (who know) still could get past that.

The form is less submiting, but it's showing users thier submitted data, in a pre-built format.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users