Source of data

[litebearer]

Not wanting to 'hijack' another thread, but curious about the error of my ways.

 

Why specifically (and very very clearly as I am OLD fart and totally self taught in php/mysql), why will this not suffice to determine form where POSTED data came?

 

 

page 1 - formstart sessioncreate and store a hashed session variable 'who_is_it' (ie hash 1Q9zFrEd)display the formsubmit to page 2page 2start sessioncreate a hashed variable $is_it-me (ie hash 1Q9zFrEd)compare $is_it_me with the session variable 'who_is_it'   if the camparison == each other    obtain, validate, cleanse and store data   ELSE    not from a vaild source

 

[PFMaBiSmAd]

That scheme serves to check that someone's browser or something (a bot script) visited (requested) your form page at least once and supports passing the session id between pages. That's all it really can check.

 

The session variable should be unset in the form processing code so that only one submission will be processed per visit to the form and the hashed value should be randomly generated and not a fixed/static value. If the hash value is fixed/static for any one visitor, once someone gets that value by actually visiting your form, they can keep using it to submit data and that scheme would consider all the submissions to be valid.

 

If the randomly produced hash was also displayed in the form in the form of a captcha image, the scheme would also require that someone/something has the ability to read the image and submit the value as form data.

[litebearer]

So then, what is the best method to ascertain that page 2 was accessed via page 1?