POST security?

[Woad.php]

How can I be sure that when I send data with the POST method it won't be changed?

[fert]

You would have to make sure that the submit button was pressed,

[Woad.php]

What? That doesn't make sense, it wouldn't even send it if the button wasn't pressed.

[mattd8752]

You would have to check http_reffer.  Checking the submit button would just make a hacker put the submit button on their simulation page, or even curl it that way.

[Hypnos]

You're asking when "you" send data? Are you worried about data collisions?

But then you say "security", which makes me think you're asking how you know that users aren't modifying POST data when it's sent to you.

If you're question is the second one, as the users who replied above seem to think, let me say this..

POST data is not to be trusted. Checking refer won't help. POST data is just as modifiable as GET data. People seem to have this awful misconception that it's more secure because the average browser won't show it. But, with the right tool, you can modify it just as easy. Even over SSL.

POST, GET, and cookie data is never to be trusted. They are all editable by the user.

So, you have to put checks in your code, after you've received the POST data, to make sure the values are the range and type that they should be.

[btherl]

To add to what Hypnos said, if you want a simple way to store trusted data for the short term, use sessions.  With sessions, you can be sure that the data you put in is what you get out.

BUT, keep in mind that the name of the session is not 100% secure.  Someone can monitor another user's session, take their session name and take over the session.  It's not easy but it's possible.

But the data inside the session can only be modified by your scripts.

[SweetLou]

Also, you can't be sure that what was sent by POST is what you wrote. I could easily make a form on my home computer and send it to your PHP file to process. As stated above, checking the referrer won't help since that can be altered by me.
But the main reason I am replying is besides the above mentioned methods to check all data, if you are going to store this information, remember to escape characters so that malicios code won't be ran on your database. I prefer mysql_real_escape_string() and a couple of others. This should be done on ALL data your receive, even if the form is a dropdown list, a submit button, hidden or any other type.