The Little Guy Posted November 21, 2007 Share Posted November 21, 2007 How can I make it so that form posts can only come from the current domain, otherwise are rejected? Quote Link to comment Share on other sites More sharing options...
premiso Posted November 21, 2007 Share Posted November 21, 2007 Store a variable in session that you only set on pages from your site and check that. Other than that it is hard to do as someone can easily spoof what page they are coming from and can access it/submit it like it is coming from your domain. Quote Link to comment Share on other sites More sharing options...
teng84 Posted November 21, 2007 Share Posted November 21, 2007 $_SERVER['HTTP_REFERER'] this will check the previous page that the users in Quote Link to comment Share on other sites More sharing options...
websiterepairguys Posted November 22, 2007 Share Posted November 22, 2007 Referer can be faked. The best way to do this is to use a javascript submit function. inside the javascript set a hidden value, or a cookie, then check that value/cookie in your post routine. This will help reduce spam from robots. Mark Quote Link to comment Share on other sites More sharing options...
phpQuestioner Posted November 22, 2007 Share Posted November 22, 2007 Referer can be faked. The best way to do this is to use a javascript submit function. inside the javascript set a hidden value, or a cookie, then check that value/cookie in your post routine. This will help reduce spam from robots. Mark or you could create a session in your form page and require the PHP script, your using to process your form results, too require this session for your form processing PHP script. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted November 22, 2007 Author Share Posted November 22, 2007 What if the user has JavaScript disabled? Could I take the HTTP_REFERER, and use a function that will remove everything except for this: http://mysite.com How could someone fake that part? All I need to know is the domain the request was coming from, I don't need the page or anything. Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 22, 2007 Share Posted November 22, 2007 Ok you can take this approach generated a md5 hash for every form posted so say your hash is as an example "9e107d9d372bb6826bd81d3542a419d6" so lets say you got two pages one page is a form lets call it form1.php and another page is form1_submit.php (enters data into a database) so on form1.php 1) set a session variable storing the hash 2) send the hash via a hidden field in the form on form1_submit.php 1) check if both match the value in the session and the post hidden field hope this is helpful Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted November 22, 2007 Share Posted November 22, 2007 There is simply no way of doing this. Every way suggested can be faked or will cause problems for some users. The only reason why anyone would ever need to do this is because they are not doing proper validation. Validate your forms properly. That is the only solution. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.