Get last URL?

[Chevy]

Is it possible to get the URL that the form submitted on?

 

For security reasons a user could make a form off site and link it to that page, and do some bad stuff

 

Is it possible to get the URL where the form came from? (Without putting it as a field in the form itself?)

[boo_lolly]

i'd imagine you'd use curl. not sure tho.

[per1os]

$_SERVER['HTTP_REFERRER']

 

But that is un-reliable. Your best bet is to use SESSION variables and when the page is loaded set that variable, and when you are checking the get portion, check to see if that session variable isset, if it is not chances are they just linked directly to the page.

[only one]

yea, you can store a url in a database...

 

<?php
$url = $_SERVER['SERVER_NAME'] $_SERVER['PHP_SELF']; 
mysql_query("INSERT INTO table(`url`) VALUES ('http://$url')") //edit this
?>

 

something like that?

[Chevy]

Yea good idea

 

Thanks

[yzerman]

Simple solution that I use:

 

In your form - define a constant

 

Then check if that constant is defined in your submit form.

 

i.e.

 

form.php

<?php
define('MyForm', 'YourHardToGuessValue');

if (!defined('MyForm')) {
die(hacking attempt);
}
//finish your form
?>

 

add the same lines with your submit form

 

submit.php

<?php
define('MyForm', 'YourHardToGuessValue');

if (!defined('MyForm')) {
die(hacking attempt);
}
//finish your submit continual
?>

[per1os]

yzerman, that does not really make any sense?? Because you are defining the constant in the submit and the form.php, so it will always return true...unless I am missing something, that script seems flawed...

 

 

[yzerman]

For security reasons a user could make a form off site and link it to that page, and do some bad stuff

 

Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional. So its always defined ONSITE, but never defined OFFSITE.

 

You seeing where it makes sense and is not flawed?

[boo_lolly]

For security reasons a user could make a form off site and link it to that page, and do some bad stuff

 

Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional.

 

frost is right. i would have mentioned that option, but all the person has to do is view the source code of the real form, and add that hidden input field to his attack form on his own page.

[yzerman]

The define function, as long as it is behind <?php ?> tags, does not show up in view source unless you print out the defined constant. If someone has access to your source code, it is ineffective, but then you would have other issues to worry about.

[per1os]

Alright, I will try and explain why it confuses me yzerman. Your logic makes sense but the code does not. That is why I suggested the session definition. because the session variable can travel from page to page without someone knowing. Given the code you posted anyone requesting that page can post to it because you are defining the constant inside the code all the time. It does not matter where I come from, you still define that constant. So whether I come from www.google.com or from www.disney.com I can still run your submit.php page due to the fact it is being defined. I would run a unit test if I were you to fully see what I am talking about.

 

Basically the server-side code gets executed no matter what. Here is a working example of what would work:

 

form.php

<?php
session_start();
if (!isset($_SESSION['onForm'])) 
     $_SESSION['onForm'] = true;
// processing here
?>

 

submit.php

<?php
session_start();
if (!isset($_SESSION['onForm'])) 
     die("Sorry, you came from an unknown site, please go here: http://www.site.com/form.php");

// processing here

unset($_SESSION['onForm']);
?>

 

That way the variable "onForm" should on be set on form.php and not also set on submit.php which means that in order to submit the form the person has to of been to form.php

 

Let me know if that does not make sense, I can try and explain it better.

[yzerman]

I stand corrected

[verN]

how would one use seasons to get the url thanks since i am also using http refereer and belive this will create probblmes in the furture.

thanks

 

 

[Dragen]

what problems could http refereer cause? I was thinking of using it for my forms, but didn't realise there was any problems that may be caused by using it..

[per1os]

HTTP_REFERRER is very very un-reliable. It is easily spoofed and some clients do not permit it to be displayed.

 

Anyone can manipulate HTTP_REFERRER and be able to access the site.

 

I would highly suggest AGAINST using that as a check, due to the fact that many legitimate users will not be able to use your software and many illegitimate users will be able to abuse your software.

[Dragen]

ok. thanks