Jump to content

Get last URL?

Chevy

By Chevy
in PHP Coding Help

 Share

Recommended Posts

Chevy Member

Chevy

Posted
Posted

Is it possible to get the URL that the form submitted on?

 

For security reasons a user could make a form off site and link it to that page, and do some bad stuff :)

 

Is it possible to get the URL where the form came from? (Without putting it as a field in the form itself?)

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

$_SERVER['HTTP_REFERRER']

 

But that is un-reliable. Your best bet is to use SESSION variables and when the page is loaded set that variable, and when you are checking the get portion, check to see if that session variable isset, if it is not chances are they just linked directly to the page.

Link to comment
Share on other sites
yzerman Member

yzerman

Posted
Posted

Simple solution that I use:

 

In your form - define a constant

 

Then check if that constant is defined in your submit form.

 

i.e.

 

form.php

<?php
define('MyForm', 'YourHardToGuessValue');

if (!defined('MyForm')) {
die(hacking attempt);
}
//finish your form
?>

 

add the same lines with your submit form

 

submit.php

<?php
define('MyForm', 'YourHardToGuessValue');

if (!defined('MyForm')) {
die(hacking attempt);
}
//finish your submit continual
?>

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

yzerman, that does not really make any sense?? Because you are defining the constant in the submit and the form.php, so it will always return true...unless I am missing something, that script seems flawed...

 

 

Link to comment
Share on other sites
yzerman Member

yzerman

Posted
Posted

For security reasons a user could make a form off site and link it to that page, and do some bad stuff :)

 

Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional. So its always defined ONSITE, but never defined OFFSITE.

 

You seeing where it makes sense and is not flawed?

Link to comment
Share on other sites
boo_lolly Regular Member

boo_lolly

Posted
Posted

For security reasons a user could make a form off site and link it to that page, and do some bad stuff :)

 

Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional.

 

frost is right. i would have mentioned that option, but all the person has to do is view the source code of the real form, and add that hidden input field to his attack form on his own page.

Link to comment
Share on other sites
yzerman Member

yzerman

Posted
Posted

The define function, as long as it is behind <?php ?> tags, does not show up in view source unless you print out the defined constant. If someone has access to your source code, it is ineffective, but then you would have other issues to worry about.

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

Alright, I will try and explain why it confuses me yzerman. Your logic makes sense but the code does not. That is why I suggested the session definition. because the session variable can travel from page to page without someone knowing. Given the code you posted anyone requesting that page can post to it because you are defining the constant inside the code all the time. It does not matter where I come from, you still define that constant. So whether I come from www.google.com or from www.disney.com I can still run your submit.php page due to the fact it is being defined. I would run a unit test if I were you to fully see what I am talking about.

 

Basically the server-side code gets executed no matter what. Here is a working example of what would work:

 

form.php

<?php
session_start();
if (!isset($_SESSION['onForm'])) 
     $_SESSION['onForm'] = true;
// processing here
?>

 

submit.php

<?php
session_start();
if (!isset($_SESSION['onForm'])) 
     die("Sorry, you came from an unknown site, please go here: http://www.site.com/form.php");

// processing here

unset($_SESSION['onForm']);
?>

 

That way the variable "onForm" should on be set on form.php and not also set on submit.php which means that in order to submit the form the person has to of been to form.php

 

Let me know if that does not make sense, I can try and explain it better.

Link to comment
Share on other sites
per1os Member

per1os

Posted
Posted

HTTP_REFERRER is very very un-reliable. It is easily spoofed and some clients do not permit it to be displayed.

 

Anyone can manipulate HTTP_REFERRER and be able to access the site.

 

I would highly suggest AGAINST using that as a check, due to the fact that many legitimate users will not be able to use your software and many illegitimate users will be able to abuse your software.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.