Posted by mootmail-googlegroups on 10/06/00 11:54

Katash wrote:
> I have a simple program that inserts user details into a MySQL database -
> The form validation is dealt with by another program that contains the html
> form
>
> I would like to ensure no-one can create a separate form and post to my
> input program thereby bypassing my validation functions
>
> My question is :- Is there a way I check that the $_POST vars have come from
> a php file on the webserver and halt the sql input with a security warning
> if they're coming from a different source?
>
> Perhaps I'm approaching this from the wrong angle - Am I?
>

Before performing the insert, you could check $_SERVER['HTTP_REFERER']
to see if it matches where you expect the user to come from.
See: http://us3.php.net/manual/en/reserved.variables.php

The problem with that, as the PHP manual states, is that not all
clients provide this information, and if they do, it can't always be
trusted. So as you asked, you may be approaching from the wrong angle
here.

The bottom line in web security is DON'T TRUST ANYTHING. You may have
already done validation on the form, but if you're sending it somewhere
else, then check it again when it gets there.

[Back to original message]