a href in a form to set session

[SirChick]

How do check if a "<h ref " link was clicked in a process page for example

 

i got the form tags then <a href="test.php">test</a>

 

and the form action goes to formprocess. so i want to do an "isset" on the test.php ahref so i can set a session for it .....

 

can that be done ? or can it only be done with submit buttons and check boxes etc?

[pocobueno1388]

Add something to the url that tells you if they were referred by the link.

 

So make your link look like this

<a href="test.php?link=yes">

 

Now on the page the link is to, do this

 

<?php

if (isset($_GET['link'])){
   //set session
}

?>

[SirChick]

argh wait i cant use get... the idea of session creation was to stop some one linking to the process page without the form's input...

 

so was going to do like:

 

if isset set $session == yes

 

then

 

if session != yes header to what ever page.

 

if i use get it is exploitable

 

 

would you know any other idea that may work with what i am thinking of ?

[pocobueno1388]

Ah, just use a hidden form input.

 

<input type="hidden" name="secret_key" value="something">

 

Then on the process page, check if they have it.

 

<?php

If (!isset($_POST['secret_key'])){
  //They are cheating
} else {
   //They used the form.
}

?>

[SirChick]

shall give it a try! thankyou

[PHP_PhREEEk]

A hidden form is not hidden with security in mind. It is to pass arguments to the processing page that do not require user input. Once the form is in your browser, a quick check of the source will reveal the hidden field(s) and the values assigned.

 

The only way to do this with any sense of security is to dynamically change the hidden input's value. The value is stored in MySQL, then when the form is submitted, the value is checked against the DB. Remove old values, create new ones as necessary. Sort of a poor man's captcha for form submission.

 

PhREEEk

[SirChick]

ok now u have lost me =/

[trq]

I think this is what your trying to do....

 

form.php

<?php

  session_start();
  $_SESSION['valid'] = true;

?>
<form action='process.php' method='post'>
  <input type='text' name='foo'>
  <input type='submit' name='submit'>
</form>

 

process.php

<?php

  session_start();
  if (isset($_POST['submit'] && isset($_SESSION['valid'])) {
    unset($_SESSION['valid']);
    // process form.
  }

?>

[SirChick]

problem with that is... say the user views the form... then goes to do other stuff then changes the url to process.php itll still process cos session hasnt unset. =/

 

im trying to find a way that the session is created upon for post has started and so when do activate the form there is no go back anyway

[trq]

A simple solution to that is to simply store the current page (do this on every page) in the $_SESSION array on each request.

 

form.php

<?php session_start(); ?>
<form action='process.php' method='post'>
  <input type='text' name='foo'>
  <input type='submit' name='submit'>
</form>
<?php
  // This needs to be the last line of every page in your site.
  // or prior to any redirecting.
  $_SESSION['referer'] = $_SERVER['SCRIPT_NAME'];

?>

 

process.php

<?php

  session_start();
  if (isset($_POST['submit'] && $_SESSION['referer'] == 'form.php')) {
    unset($_SESSION['valid']);
    // process form.
  }

  $_SESSION['referer'] = $_SERVER['SCRIPT_NAME'];

?>

 

There are many ways to get this done.

[SirChick]

why does:

 

$_SESSION['referer'] = $_SERVER['SCRIPT_NAME'];

 

have to be at the bottom of the process page also ?