Jump to content

Form submission


spfoonnewb

Recommended Posts

Hi, Im trying to make a form that can only be submitted by that form -

Basically the user can put an input and click submit and the form will process, but I dont want the user to be able to copy the URL after the process and access it directly I want it to display an error... Is there a way to do this even with globals on?

So basically like:

If the form was submitted from the forms name or a defined variable....

Then proccess it, else display an error...

Or if the address was accessed directly by URL, and not from being submitted by the form display an error.
Link to comment
Share on other sites

Well its an HTML page, that just has <?php echo '$we'; ?>

If its not posted I just want to kill the page....
So now that you gave me that I can provide an example..

[code]<?php
if(!isset($_POST))
{
die('You cannot access this page directly');
}
else
{
//Load the page
}
?>[/code]

But it doesnt work--

also if there is a way to attach it to an array before the page is loaded that would be cool, heres the array:

      [code]<?php
    $pages = array(
                '1' => 'includes/submit.php',
        );
         
           
            if (isset($_GET['id']) && isset($pages[$_GET['id']]))
                {
                    include($pages[$_GET['id']]);
                    } else {
                    echo 'The page cannot be displayed';
                }

?>[/code]
Link to comment
Share on other sites

on the page that you are trying to prevent direct access to, you can set 3 variables.  That only you know.  Alright, now set them as sessions, from the previous page.  For instance on the page with the form set like 3 special sessions, WITH 3 special words.

$_SESSION['variable1'] == "Special Word";
session 2
session 3
on the other page you want to be careful on access at the very top put
<?php
session_start();
if ($_SESSION['variable1'] == "whatever" && $_SESSION['variable2'] == "whatever" && $_SESSION['variable3'] == "whatever") {
?>
entire page here
at the bottom put
<?php
}
?>
ONLY people coming from that form can gain access.  That way you are sure of it, only ones coming directly from that form will have a chance of getting to that page.
Link to comment
Share on other sites

Well sessions are disabled on my server due to some problems I had with them.
(I even turned em on the test this)

So couldnt I just make a hidden form input on the previous page and then have some kind of string that checks if it was there or not... and if its not there to kill the page or w/e?
Link to comment
Share on other sites

Are you trying to keep someone from getting to the page if they don't come from the form, You won't do that with just checking for isset post or get, because if someone uses another form to get to your page, it'll still be from post or get all they have to do is change that.  You can do 2 other things, but a hidden form field they can see, and just put on there other form anyway it's a waste of time.
You can use http referer to check where the url is coming from and only accept it if it's coming from that specific url.  PLus use the 3 variables to make sure.
Link to comment
Share on other sites

Either way I cannot get that to work -

[code]<form action="index2.php" method="POST">
<?php
$_SESSION['variable1'] == "one";
$_SESSION['variable2'] == "two";
$_SESSION['variable3'] == "three";
?>
<input type="text" name="a">
<P>
<input type="submit">

</form>[/code]



[code]<?php
session_start();
if ($_SESSION['variable1'] == "one" && $_SESSION['variable2'] == "two" && $_SESSION['variable3'] == "three") {
?>

<?php echo "$a"; ?>

<?php
}
?>[/code]
Link to comment
Share on other sites

that should work.  perhaps you didn't show it, but for the first block of code, you don't have session_start();

The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form. 

One way to protect from this sort of hacking is to use HTTP_REFERRER.  This is not set on a lot of sites, and I do not even know how to make sure it gets set on my site.  What I do know is that if it is set, you can then make sure whoever submits data is coming from your site by checking that HTTP_REFERRER is set to your domain.

Another way is to use .htaccess  Put all your receiving pages, such as index2.php, into a directory with a .htaccess file that blocks access from outside your domain.
Link to comment
Share on other sites

How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.

[code]<?php
if (isset($_POST['submit')) {
// process form data
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<input type="text" name="a">
<P>
<input type="submit" name="submit">

</form>
<?php
}
?>[/code]
Link to comment
Share on other sites

Im going to try session start first, I didnt think about that, anyway:

[quote]The session variables really don't help you.  Anyone can go to the page once, without submitting the form, and the session variables will be set.  They can then navigate to another domain and from there submit data to your index2.php page.  The session variables will be preserved across navigation outside your domain.  I know because I have tested it.  By the way, that also means that testing for the $_GET and $_POST does not ensure data is submited only from your form.  [/quote]

Sessions on my server are set to reset as soon as the browser is closed.
Isnt there a way I can automatically kill the session after they get to the second page?

[quote]How about just re-coding it so that the form processing code is in the same file as the form itself and the form submits to itself?  Checking for isset($_POST['submit']) would let you bypass the processing on arrival.[/quote]

That wouldnt work because my site has been around for quite some time and the pages already exist - meaning people (who know) still could get past that.

The form is less submiting, but it's showing users thier submitted data, in a pre-built format.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.