How to check if the form is posted from my server not other place?

[mesh2005]

I have a form index.php, it posts the data to action.php How can I add a check to action.php to make sure that the index.php data comes from my server?

[HAVOCWIZARD]

try this, i have this in my website

 

if($_GET && strstr($_SERVER["HTTP_REFERER"], "yoursite name.com"))
{
$_POST = $_GET;
}

[GingerRobot]

I wouldn't rely on http_referrer to tell you if the form is being submitted from your own website. Firstly, some browsers can be configured not to send referring information. Some firewalls also do the same. You will therefore be blocking some legitimate users. And second, headers can be faked.

 

If, as im guessing that you're wanting to secure your form input in this way, then dont. You'll need to check all of your form data to make sure its valid.

[smc]

I completly agree with GingerRobot, headers can be faked - infact it screwed over phpBB for a while until they patched it. HTTP_REFERER is not a reliable means of protecting your data.

 

This way also is a bit insecure, but it may suit your purposes. Do a session variable to store the data like so:

 

<?php

session_start();

$_SESSION['current_domain'] = $_SERVER['SERVER_NAME'];

?>

 

Then on your data processing page:

 

<?php

session_start();
$myDomain = "noodles.com";

if( $_SESSION['current_domain'] != $myDomain ){
   
    die( "Nice try bub" );

}

?>

 

That way you have the added security of a purely session wide variable which does not cross-domains

[HAVOCWIZARD]

nice i didnt know that , thanks guys, tell me what are all the things you have to remove from a input string before you start your search on the database, in other words, what to remove from being hacked.

[Nhoj]

A good practice is to always use mysql_real_escape_string....Something such as this is generally enough.

 

$variable = mysql_real_escape_string($variable);

 

You could also do a few other things such as truncate the string after it reaches a certain length. This can help prevent people from inserting extremely long strings into your input that can cause problems (just because you set a maxlength variable on your form doesn't mean it has to be obeyed.)

 

Something like this works...Where as 'LENGTH' is the number of characters you want the string to be limited to and the rest dropped.

 

$variable = mb_strcut($variable, 0, LENGTH);

 

If your input is always a positive number the best way to prevent any SQL -injection is to do something like:

 

$variable = round(abs(mb_strcut($variable, 0, LENGTH)), DECIMALS);

 

If your input is not always a positive number you can do this and it is just as effective.

 

$variable = round(mb_strcut($variable, 0, LENGTH), DECIMALS);

 

If your input always consists of only letters you can do this to strip anything else out:

 

$variable =  mb_strcut(preg_replace('|[^A-z]|', '', $variable), 0, LENGTH);