SECURITY: PHP Form Security, Best way?

stewart715 · November 1, 2006

What's the best way to secure a form that has action through a php file?

Example:
[code]<form action="/process.php" method="POST">
<select name="color">
<option value="red">red</option>
<option value="green">green</option>
<option value="blue">blue</option>
</select>
<input type="submit" />
</form>[/code]

What could I place in process.php so the above script cannot just be placed in a remote HTML file and submitted?

Thanks for all of your help!

Caesar · November 1, 2006

There are a ton of things you can do to secure forms in general....one thing you can do is:

[code]<?php

$url = $_SERVER[REQUEST_URI];

if($url != '/myform.php') {

header("Location: error.php");

}

?>[/code]

stewart715 · November 1, 2006

Thanks.

I can't seem to get it to work. I heard something about placing a password file on the server somewhere?

mainewoods · November 1, 2006

do a google search on captcha images and you can find a free script (this site doesn't seem to have one). requires the php GD library be installed.

Caesar · November 1, 2006

Try the code again. There was a missing semicolon in there. Sorry...on a wireless keyboard. But it should work.

stewart715 · November 1, 2006

The form is included in an index.php file somehow, can I change $url to like http://mysite.com/ or something like that?

Caesar · November 1, 2006

[quote author=stewart715 link=topic=113416.msg460894#msg460894 date=1162345152]
The form is included in an index.php file somehow, can I change $url to like http://mysite.com/ or something like that?
[/quote]

Change it to this:

[code]<?php

$url = $_SERVER[REQUEST_URI];

if($url != '/index.php') {

header("Location: error.php");

}

?>[/code]

Caesar · November 1, 2006

Of course [color=red]error.php[/color] is just used for example purposes. You can redirect them wherever you like.

stewart715 · November 1, 2006

Hmm that's weird..still not working

well let me tell you that the form is located at

http://mydomain.com/?q=privacy

Caesar · November 1, 2006

[quote author=stewart715 link=topic=113416.msg460899#msg460899 date=1162345386]
Hmm that's weird..still not working

well let me tell you that the form is located at

http://mydomain.com/?q=privacy
[/quote]

That changes things. ;)

Then just do this:

[CODE]<?php

$url = $_SERVER[REQUEST_URI];

if($url != '/index.php?q=privacy') {

header("Location: error.php");

}

?>
[/CODE]

stewart715 · November 1, 2006

haha thanks :)

edit/

tried it, still not working for some reason...hmmm

what i have is
[code]
<?php
$url = $_SERVER[REQUEST_URI];

if($url != '/index.php?q=privacy') {

header("Location: error.php");

} else {

//Form submitting data goes here

}
}
?>
[/code]

Caesar · November 1, 2006

What page are you posting that code in? And if your are submitting the form from index.php to process.php...then I will address the last two questions you had. First, add the following code in "[color=red]process.php[/color]":

[code]<?php

$url = $_SERVER[HTTP_REFERER];

preg_match('/http:\/\/yourdomain.com\/index.php\?q=([a-z0-9]+)/',$url,$q);

if($url != "http://yourdomain.com/index.php?q=$q[1]") {

header("Location: error.php");
}

?>[/code]

You mentioned you would like it to work regardless of what the value of "q" was. The above code also addresses that.

Sign In

SECURITY: PHP Form Security, Best way?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information