php & form submission control
 

how can i make it so that a form will only be accepted if its been submitted from the domain that it is hosted on?

could check refering url etc but was wondering if someone knows a more secure way

I've used this for forms:

http://www.scriptarchive.com/formmail.html

thanks im no perl wiz but looks like it checks referer strings to see if its submitted from an accepted domain

i believe reffer is the only other way other then htaccess

Well you could always have them type in the word.


http://www.bettercgi.com/strongbox/images/bends.gif http://www.bettercgi.com/strongbox/images/steak.gif http://www.bettercgi.com/strongbox/images/plant.gif

That's one of the things I just added to Strongbox.
Were you using CGI instead of damn PHP you could use
my library, which would plug right into your script.
Matter of fact, now that I've been the one to actually
give a decent answer to your question I guess I can go ahead and say:
You're concerned about securing it and you're writing it in PHP?!?!?!? ROTFL!
FOOMCLMDFHO!
(Falling Out Of My Chair Laughing My Damn Fool Head Off).

You can only use the referring check like this:

Check the refer var stored in:
$HTTP_SERVER_VARS['HTTP_REFERER'];

$findme = 'www.domain.com';


$pos1 = stripos($HTTP_SERVER_VARS['HTTP_REFERER'], $findme);

// Nope,
if ($pos1 hahahaha= false) {
echo "The string '$findme' was not found in the string '$HTTP_SERVER_VARS['HTTP_REFERER']'";
}
// Yes it there
Else{
echo "We found '$findme' in '$HTTP_SERVER_VARS['HTTP_REFERER']'";
}

replace the echo's after testing by or a new header or the add to db routine...


Good Luck

:thumbsup

thanks guys... my main concern with using the refer method is that it is not always passed and can be forged pretty easily

Here's an algorythm:

When displaying the form:

1. Generate a unique number and store it in a database table with a timestamp.

2. Delete all unique numbers older than 2 hours.

3. Hide the new unique number in the form.

When processing the form:

1. Check the unique number against the database. If it is not there, die();

2. Check the refferer. If it is incorrect, die();

3. Process the form.

Hey this is also a sollution....
But it brings me a even greater and easier idea...

Just start a session in the form and check the sessions id in the submit routine... if not there send them to the form on the server with a header....

:thumbsup

yeah this is more like what i was thinking

essentially im thinking of issuing the form a one-time licence... each time the form is issued a new licence is generated.... maybe not tied to the session id as this could be easily obtained

What kind of license....

You could generate a unique number and store it like a session variable.. I don't think they can obtained that very easy....

Cant you do like perl and just set the permissions?

yeah the licence would be stored in a session var.

i was thinking of encoding something like the time and a key value... still havent thought this bit out fully... but the licence would be unique for the time that it was generated... the key would never be transmitted.... when the form is submitted decrypt the licence.... not sure if all this is redudant though

not sure i understand what you mean ??

I am assuming you want to make your server so that it only accepts data submitted from your site.

For example you dont want somebody to copy the HTML of your form and modify it so they can exploit your script or what not.

I dont know exactly what you are doing but I prevent this simply by setting the permissions correctly for the script.


Prehaps I dont fully understand what you are trying to do..

use session_id . Works better.

yeah that is what i want to achieve.... i will look into your suggestion more... thanks

I never used PHP so it may differ.

http://www.perlfect.com/articles/chmod.shtml

Prehaps this can help you