Posted by Jerry Stuckle on 03/10/06 05:33

Chung Leong wrote:
> Scott wrote:
>
>>I've been trying to come up with a way to ensure user input is coming
>>from the form on my site, and not auto-submitted from elsewhere, and I
>>don't want to use the "enter the code shown in the image" method. I know
>>the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
>>doing something similar to this:
>>
>><?php
>>session_start();
>>$code = mt_rand(0,1000000);
>>$_SESSION['code'] = $code;
>>?>
>>
>>Then in my form have:
>><input type="hidden" name="originator" value="<?=$code?>">
>>
>>On the page receiving the form:
>>
>><?php
>>session_start();
>>if(isset($_POST['originator'])) {
>> if($_POST['originator'] == $_SESSION['code']) {
>> // process the form
>> }
>>}
>>?>
>>
>>I'm looking for feedback on this method. Do you think this is an
>>effective way to ensure the input you're receiving is indeed from your
>>form? Obviously, the random code key will be visible to the client, but
>>without the matching session variable, it will be useless.
>>
>>Your thoughts?
>>
>>Scott
>
>
> Yes, that's precisely what you want to do. The function uniqid() can
> also be used to generate the random key.
>
> A check on HTTP_REFERER is actually sufficient too, since ordinary
> users aren't going to be spoofing the Referer headers.
>

In addition to what Justin said - if someone DOES want to spoof your
site, they will set HTTP_REFERER to your site. That check is worthless.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]