stewart715 Posted November 1, 2006 Share Posted November 1, 2006 What's the best way to secure a form that has action through a php file?Example:[code]<form action="/process.php" method="POST"><select name="color"> <option value="red">red</option> <option value="green">green</option> <option value="blue">blue</option></select><input type="submit" /></form>[/code]What could I place in process.php so the above script cannot just be placed in a remote HTML file and submitted?Thanks for all of your help! Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 There are a ton of things you can do to secure forms in general....one thing you can do is:[code]<?php $url = $_SERVER[REQUEST_URI]; if($url != '/myform.php') { header("Location: error.php"); }?>[/code] Quote Link to comment Share on other sites More sharing options...
stewart715 Posted November 1, 2006 Author Share Posted November 1, 2006 Thanks.I can't seem to get it to work. I heard something about placing a password file on the server somewhere? Quote Link to comment Share on other sites More sharing options...
mainewoods Posted November 1, 2006 Share Posted November 1, 2006 do a google search on captcha images and you can find a free script (this site doesn't seem to have one). requires the php GD library be installed. Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 Try the code again. There was a missing semicolon in there. Sorry...on a wireless keyboard. But it should work. Quote Link to comment Share on other sites More sharing options...
stewart715 Posted November 1, 2006 Author Share Posted November 1, 2006 The form is included in an index.php file somehow, can I change $url to like http://mysite.com/ or something like that? Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 [quote author=stewart715 link=topic=113416.msg460894#msg460894 date=1162345152]The form is included in an index.php file somehow, can I change $url to like http://mysite.com/ or something like that?[/quote]Change it to this:[code]<?php $url = $_SERVER[REQUEST_URI]; if($url != '/index.php') { header("Location: error.php"); }?>[/code] Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 Of course [color=red]error.php[/color] is just used for example purposes. You can redirect them wherever you like. Quote Link to comment Share on other sites More sharing options...
stewart715 Posted November 1, 2006 Author Share Posted November 1, 2006 Hmm that's weird..still not working well let me tell you that the form is located athttp://mydomain.com/?q=privacy Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 [quote author=stewart715 link=topic=113416.msg460899#msg460899 date=1162345386]Hmm that's weird..still not working well let me tell you that the form is located athttp://mydomain.com/?q=privacy[/quote]That changes things. ;)Then just do this:[CODE]<?php $url = $_SERVER[REQUEST_URI]; if($url != '/index.php?q=privacy') { header("Location: error.php"); }?>[/CODE] Quote Link to comment Share on other sites More sharing options...
stewart715 Posted November 1, 2006 Author Share Posted November 1, 2006 haha thanks :)edit/tried it, still not working for some reason...hmmmwhat i have is [code]<?php $url = $_SERVER[REQUEST_URI]; if($url != '/index.php?q=privacy') { header("Location: error.php"); } else {//Form submitting data goes here }}?>[/code] Quote Link to comment Share on other sites More sharing options...
Caesar Posted November 1, 2006 Share Posted November 1, 2006 What page are you posting that code in? And if your are submitting the form from index.php to process.php...then I will address the last two questions you had. First, add the following code in "[color=red]process.php[/color]":[code]<?php $url = $_SERVER[HTTP_REFERER]; preg_match('/http:\/\/yourdomain.com\/index.php\?q=([a-z0-9]+)/',$url,$q); if($url != "http://yourdomain.com/index.php?q=$q[1]") { header("Location: error.php"); }?>[/code]You mentioned you would like it to work regardless of what the value of "q" was. The above code also addresses that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.