Posted by Miguel Cruz on 12/17/83 11:54

mootmail-googlegroups@yahoo.com wrote:
> Katash wrote:
>> I have a simple program that inserts user details into a MySQL
>> database - The form validation is dealt with by another program that
>> contains the html form
>>
>> I would like to ensure no-one can create a separate form and post to
>> my input program thereby bypassing my validation functions
>>
>> My question is :- Is there a way I check that the $_POST vars have
>> come from a php file on the webserver and halt the sql input with a
>> security warning if they're coming from a different source?
>>
>> Perhaps I'm approaching this from the wrong angle - Am I?
>
> Before performing the insert, you could check $_SERVER['HTTP_REFERER']
> to see if it matches where you expect the user to come from.

Please don't do this. HTTP_REFERER is useless for affirming anything.
You can only use it in the negative, and even then you should not trust
it if you'd face adverse consequences for false negatives.

Katash - How about passing a randomly-generated token in a hidden
variable on the form and ensuring it comes back intact? Or using
sessions?

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu

[Back to original message]