stewart715 Posted November 1, 2006 Share Posted November 1, 2006 Let's say you have a simple HTML form with action through a PHP file to store the information in a MySQL database. What is the best/easiest way to secure that form procoess so the form cannot just be stored in any HTML file on a remote server and submitted? Link to comment https://forums.phpfreaks.com/topic/25806-what-is-the-besteasiest-way-to-secure-a-form-with-php/ Share on other sites More sharing options...
gray Posted November 1, 2006 Share Posted November 1, 2006 check the referrer?[code=php:0]if ($HTTP_REFERER != "http://www.yoursite.com/frompage.php") { die("Under Attack!"); }[/code] Link to comment https://forums.phpfreaks.com/topic/25806-what-is-the-besteasiest-way-to-secure-a-form-with-php/#findComment-117854 Share on other sites More sharing options...
trq Posted November 1, 2006 Share Posted November 1, 2006 $HTTP_REFERER was long ago depricated. Try $_SERVER['HTTP_REFERER'] instead. Link to comment https://forums.phpfreaks.com/topic/25806-what-is-the-besteasiest-way-to-secure-a-form-with-php/#findComment-117857 Share on other sites More sharing options...
alpine Posted November 1, 2006 Share Posted November 1, 2006 Still, the referrer can be manipulated and should never be used as part of a security environment.I would rather go for a solution where the form contains a db stored random string, and upon submitting the form the posted string is compared with the db-stored string.Example:[code]<?phpif(isset($_POST['my_button']) && !empty($_POST['rand_key'])) // check form{ $rand_key = htmlspecialchars($_POST['rand_key']); $delete_old = mysql_query("delete from rand_keys where time_set < date_sub(now(), interval 3600 second)"); // one hour expire time on each key $check_this = mysql_query("select id from rand_keys where rand_key = '$rand_key'"); if(mysql_num_rows($check_this) <> 1) { die("Form not accepted"); } // proceed with other form todo's}else // show form{$rand_key = md5(mktime()*rand());$insert_it = mysql_query("insert into rand_keys (time_set, rand_key) values (now(), '$rand_key')");echo <<<_HTML<form method="post" action="this.php"><input type="hidden" name="rand_key" value="$rand_key" /><input type="text" name="whatever" /><input type="button" name="my_button" value="Send Me!" /></form>_HTML;}?>[/code] Link to comment https://forums.phpfreaks.com/topic/25806-what-is-the-besteasiest-way-to-secure-a-form-with-php/#findComment-117916 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.