Posted by Scott on 03/09/06 21:42

I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don't want to use the "enter the code shown in the image" method. I know
the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
doing something similar to this:

<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION['code'] = $code;
?>

Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">

On the page receiving the form:

<?php
session_start();
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>

I'm looking for feedback on this method. Do you think this is an
effective way to ensure the input you're receiving is indeed from your
form? Obviously, the random code key will be visible to the client, but
without the matching session variable, it will be useless.

Your thoughts?

Scott

• Next in forum: Re: Better Ways Compare Strings: Exact Matches
• Prev in forum: Re: PHP5 considered Beta (modules coexisting with PHP 4)
• Thread view: Form Security

[Reply to this message]