Do you have a question? Post it now! No Registration Necessary. Now with pictures!
February 4, 2005, 1:52 am
rate this thread
Suppose you want to make sure subitted data is comming from "your" form and
not submitted (with tools) elsewhere.
What do I need to prevent false/hacked/spoofed data?
- register globals = off;
- use $_HTTP["POST"]
- check referrer with $_SERVER["HTTP_REFERER"]
are these settings 'air tight'? or (and how?) can it be overruled /
Re: safe form...
You need to learn how to cross post and not multi post. That way when
people reply to your post it goes to all the groups you posted to and
you end up with one discussion thread instead of many...
Here's my reply to your message in alt.comp.lang.php:
$_HTTP["POST"] isn't a valid variable - you want $_POST["var_name_here"]
Unfortunately you cannot rely on $_SERVER["HTTP_REFERER"] as it can be
blocked/unset by browser settings and other 3rd party software such as
anti spy software, privacy software, ad blocking software etc. In some
cases this is set to be blank and in other cases the site's domain
And if someone is trying to see if they can do stuff to your site/server
through a form post they'd quite easily be able to fake the referer
anyway and make it look like they were posting from your page.
You could make the user enter the string value contained in a generated
image and the value of the image is stored in a hidden field using a
hashing algorithm like md5. When the form is submitted you compare the
hash of their string with the hidden field. There are downsides to this
as it can mean people are put off completing the form altogether and
there are accessibilty issues as well.
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com /