security question regarding processing forms

[jeff5656]

I have a php page that processes a form.  How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php">

 

and then passing their own variables?

 

Do I set up a $session variable on my form page and assign it to  $_SERVER["PHP_SELF"]?

[sKunKbad]

Even if you used a form token, all somebody would have to do is put that token into their form. You just have to validate everything that is posted. Do you know how to validate posted data?

[magnetica]

So long as you check the data with PHP then everything should be ok. The only reason someone would make a copy form is to avoid client side validating easier. Plus you can't stop them from  doing so..

 

After you filter the input, if you are going to output any tainted data then its always customary to escape the output before display..

 

Filter Input then Escape Output... and all your security problem will go away. Apart from some more complex websecurity issues

[jeff5656]

But lets say I want to update a user's profile

<input name="id" type = hidden>

 

and when I process it i do:

 

$id = mysql_escape_string($_POST['id'];

 

then update the table WHERE id = $id.

 

How can I prevent someone from making a new form and using a different id in the hidden field?

[PFMaBiSmAd]

I want to update a user's profile

 

You would have an authentication system that both requires that the current visitor be logged in and that he have the necessary privileges to update the profile that the id belongs to. He would either need to be logged in as the user that owns the profile or as a administrator to your site.