protect post from other domain

[jason213123]

hi,

i have a php file that perform a query with the data that he receive

form post information.

what i need to do is detect from where the data is coming is is same domain

or not and block when is not from the same domain.

thanks a lot for your help

 

[monkeytooth]

Well if you want it your domain (or specific, this can be modified to make an "allowed" domain list..

<?php
$mydomain = $_SERVER['SERVER_NAME']; //gets your domain name
$mydomain = str_replace('www.', '', $mydomain); //since the above can sometimes include 'www' it strips it out

if($mydomain == "your-domain-name.com"){

/*Place
the
code
you
want
to
run
here*/

}else{
echo "unauthorized post method." //you can say anything or run another script or if your using JSON out put your error.
}
?>

 

Alternatively you can create tokens and other various things to go back and forth with to verify the data is not only from your site but also valid information based on your forms needs. May want to do something like that anyway who knows, I am not 100% sure what your doing with what. Also remember to sanitize your strings for malicious code.

 

Like I said the above is just a core basic concept. A stepping stone if you will call it that..

 

[bluejay002]

You may check the reserved server variables to determine where it is coming from. See it here:

 

http://www.php.net/manual/en/reserved.variables.server.php

 

bluejay,

[monkeytooth]

Actually I want to retort my previous reply..

Its a safer bet to use HTTP_HOST instead of SERVER_NAME as depending upon your server setup SERVER_NAME is possible to spoof from an outside source.

 

if you want to read up on the diffrences between the 2 I suggest going to: http://shiflett.org/blog/2006/mar/server-name-versus-http-host and taking a read there nice short article about the differences between the 2