I can't seem to find any answer to this on the web, but how can I be sure a $_POST variable or form was submitted from my site as opposed to just any old site. Is there a way to filter this?
Thanks!
Add a comment
|
2 Answers
Require a secret, user-specific token in all form submissions (as a hidden input) and side-effect URLs (in query strings).
If you use sessions, you can generate a token on creation of a session and store it in the session data.
10 Comments
Allen Gingrich
Like this? <?php $_SESSION['token'] = md5(3286832ddsd); ?> <input type="hidden" name="token" value="<?php echo md5(3286832ddsd); ?>" /> then on receiving page put <?php if ($_SESSION['token'] == $_POST['token']) { echo 'It\'s legit!'; }
Quentin
Yes — except you want to use something random (uk3.php.net/manual/en/function.mt-rand.php)
Quentin
Oh, and there is no need to md5 it each time. Just once will do (and that's only to make it a nice ASCII string for URIs)
Karthikeyan Ganesan
this is not the safe solution because someone copy the hidden value and send this hidden tag with same name and value ,at that time also it makes the checking as true. please check the http_referrer or make the Access-Control-Allow-Origin header in htaccess
Quentin
@karthikpyrate — It is safe. While it doesn't stop someone who can submit the form from submitting the form with different data (and nothing can prevent that) it does stop a third party from copying the form to their site. While they could copy the value of the token, the value they put in their form would not match the one in the user's session, so the server would reject it.
|
To add more safeguard, you should also assign an allow period (like an hour) to expire session/token
