mesh2005 Posted June 12, 2007 Share Posted June 12, 2007 I have a form index.php, it posts the data to action.php How can I add a check to action.php to make sure that the index.php data comes from my server? Quote Link to comment Share on other sites More sharing options...
HAVOCWIZARD Posted June 12, 2007 Share Posted June 12, 2007 try this, i have this in my website if($_GET && strstr($_SERVER["HTTP_REFERER"], "yoursite name.com")) { $_POST = $_GET; } Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted June 12, 2007 Share Posted June 12, 2007 I wouldn't rely on http_referrer to tell you if the form is being submitted from your own website. Firstly, some browsers can be configured not to send referring information. Some firewalls also do the same. You will therefore be blocking some legitimate users. And second, headers can be faked. If, as im guessing that you're wanting to secure your form input in this way, then dont. You'll need to check all of your form data to make sure its valid. Quote Link to comment Share on other sites More sharing options...
smc Posted June 12, 2007 Share Posted June 12, 2007 I completly agree with GingerRobot, headers can be faked - infact it screwed over phpBB for a while until they patched it. HTTP_REFERER is not a reliable means of protecting your data. This way also is a bit insecure, but it may suit your purposes. Do a session variable to store the data like so: <?php session_start(); $_SESSION['current_domain'] = $_SERVER['SERVER_NAME']; ?> Then on your data processing page: <?php session_start(); $myDomain = "noodles.com"; if( $_SESSION['current_domain'] != $myDomain ){ die( "Nice try bub" ); } ?> That way you have the added security of a purely session wide variable which does not cross-domains Quote Link to comment Share on other sites More sharing options...
HAVOCWIZARD Posted June 13, 2007 Share Posted June 13, 2007 nice i didnt know that , thanks guys, tell me what are all the things you have to remove from a input string before you start your search on the database, in other words, what to remove from being hacked. Quote Link to comment Share on other sites More sharing options...
Nhoj Posted June 13, 2007 Share Posted June 13, 2007 A good practice is to always use mysql_real_escape_string....Something such as this is generally enough. $variable = mysql_real_escape_string($variable); You could also do a few other things such as truncate the string after it reaches a certain length. This can help prevent people from inserting extremely long strings into your input that can cause problems (just because you set a maxlength variable on your form doesn't mean it has to be obeyed.) Something like this works...Where as 'LENGTH' is the number of characters you want the string to be limited to and the rest dropped. $variable = mb_strcut($variable, 0, LENGTH); If your input is always a positive number the best way to prevent any SQL -injection is to do something like: $variable = round(abs(mb_strcut($variable, 0, LENGTH)), DECIMALS); If your input is not always a positive number you can do this and it is just as effective. $variable = round(mb_strcut($variable, 0, LENGTH), DECIMALS); If your input always consists of only letters you can do this to strip anything else out: $variable = mb_strcut(preg_replace('|[^A-z]|', '', $variable), 0, LENGTH); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.