Posted by Chung Leong on 03/10/06 00:27

Scott wrote:
> I've been trying to come up with a way to ensure user input is coming
> from the form on my site, and not auto-submitted from elsewhere, and I
> don't want to use the "enter the code shown in the image" method. I know
> the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
> doing something similar to this:
>
> <?php
> session_start();
> $code = mt_rand(0,1000000);
> $_SESSION['code'] = $code;
> ?>
>
> Then in my form have:
> <input type="hidden" name="originator" value="<?=$code?>">
>
> On the page receiving the form:
>
> <?php
> session_start();
> if(isset($_POST['originator'])) {
> if($_POST['originator'] == $_SESSION['code']) {
> // process the form
> }
> }
> ?>
>
> I'm looking for feedback on this method. Do you think this is an
> effective way to ensure the input you're receiving is indeed from your
> form? Obviously, the random code key will be visible to the client, but
> without the matching session variable, it will be useless.
>
> Your thoughts?
>
> Scott

Yes, that's precisely what you want to do. The function uniqid() can
also be used to generate the random key.

A check on HTTP_REFERER is actually sufficient too, since ordinary
users aren't going to be spoofing the Referer headers.

[Back to original message]