Jump to content

Archived

This topic is now archived and is closed to further replies.

spfoonnewb

Form submission

Recommended Posts

Hi, Im trying to make a form that can only be submitted by that form -

Basically the user can put an input and click submit and the form will process, but I dont want the user to be able to copy the URL after the process and access it directly I want it to display an error... Is there a way to do this even with globals on?

So basically like:

If the form was submitted from the forms name or a defined variable....

Then proccess it, else display an error...

Or if the address was accessed directly by URL, and not from being submitted by the form display an error.

Share this post


Link to post
Share on other sites
If you're using the POST method for your form, do this-
[code]
if(!isset($_POST))
{
      //print your error message, or redirect, or whatever
}
else
{
      //process the inputs
}
[/code]

for the GET method, replace $_POST with $_GET

Share this post


Link to post
Share on other sites
Well its an HTML page, that just has <?php echo '$we'; ?>

If its not posted I just want to kill the page....
So now that you gave me that I can provide an example..

[code]<?php
if(!isset($_POST))
{
die('You cannot access this page directly');
}
else
{
//Load the page
}
?>[/code]

But it doesnt work--

also if there is a way to attach it to an array before the page is loaded that would be cool, heres the array:

      [code]<?php
    $pages = array(
                '1' => 'includes/submit.php',
        );
         
           
            if (isset($_GET['id']) && isset($pages[$_GET['id']]))
                {
                    include($pages[$_GET['id']]);
                    } else {
                    echo 'The page cannot be displayed';
                }

?>[/code]

Share this post


Link to post
Share on other sites
on the page that you are trying to prevent direct access to, you can set 3 variables.  That only you know.  Alright, now set them as sessions, from the previous page.  For instance on the page with the form set like 3 special sessions, WITH 3 special words.

$_SESSION['variable1'] == "Special Word";
session 2
session 3
on the other page you want to be careful on access at the very top put
<?php
session_start();
if ($_SESSION['variable1'] == "whatever" && $_SESSION['variable2'] == "whatever" && $_SESSION['variable3'] == "whatever") {
?>
entire page here
at the bottom put
<?php
}
?>
ONLY people coming from that form can gain access.  That way you are sure of it, only ones coming directly from that form will have a chance of getting to that page.

Share this post


Link to post
Share on other sites
Well sessions are disabled on my server due to some problems I had with them.
(I even turned em on the test this)

So couldnt I just make a hidden form input on the previous page and then have some kind of string that checks if it was there or not... and if its not there to kill the page or w/e?

Share this post


Link to post
Share on other sites
from what you wrote, it seems your form is using the GET method, so try what I wrote earlier, replacing $_POST with $_GET.

Share this post


Link to post
Share on other sites
Are you trying to keep someone from getting to the page if they don't come from the form, You won't do that with just checking for isset post or get, because if someone uses another form to get to your page, it'll still be from post or get all they have to do is change that.  You can do 2 other things, but a hidden form field they can see, and just put on there other form anyway it's a waste of time.
You can use http referer to check where the url is coming from and only accept it if it's coming from that specific url.  PLus use the 3 variables to make sure.

Share this post


Link to post
Share on other sites
Either way I cannot get that to work -

[code]<form action="index2.php" method="POST">
<?php
$_SESSION['variable1'] == "one";
$_SESSION['variable2'] == "two";
$_SESSION['variable3'] == "three";
?>
<input type="text" name="a">
<P>
<input type="submit">

</form>[/code]



[code]<?php
session_start();
if ($_SESSION['variable1'] == "one" && $_SESSION['variable2'] == "two" && $_SESSION['variable3'] == "three") {
?>

<?php echo "$a"; ?>

<?php
}
?>[/code]

Share this post


Link to post
Share on other sites
that should work.  perhaps you didn't show it, but for the first block of code, you don't have session_start();

The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. 

One way to protect from this sort of hacking is to use HTTP_REFERRER.  This is not set on a lot of sites, and I do not even know how to make sure it gets set on my site.  What I do know is that if it is set, you can then make sure whoever submits data is coming from your site by checking that HTTP_REFERRER is set to your domain.

Another way is to use .htaccess  Put all your receiving pages, such as index2.php, into a directory with a .htaccess file that blocks access from outside your domain.

Share this post


Link to post
Share on other sites
How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.

[code]<?php
if (isset($_POST['submit')) {
// process form data
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<input type="text" name="a">
<P>
<input type="submit" name="submit">

</form>
<?php
}
?>[/code]

Share this post


Link to post
Share on other sites
Im going to try session start first, I didnt think about that, anyway:

[quote]The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form.  [/quote]

Sessions on my server are set to reset as soon as the browser is closed.
Isnt there a way I can automatically kill the session after they get to the second page?

[quote]How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.[/quote]

That wouldnt work because my site has been around for quite some time and the pages already exist - meaning people (who know) still could get past that.

The form is less submiting, but it's showing users thier submitted data, in a pre-built format.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.