$_post Help

Credits

Free Web Hosting

Xisto

Welcome Guest ( Log In | Register)

Free Web Hosting, No Ads > CONTRIBUTE > Computers > Programming Languages > PHP Programming

$_post Help, little help

Options

galexcd View Member Profile Find Member's Posts	Apr 7 2006, 02:05 AM Post #1
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 1,020 Joined: 25-September 05 From: L.A. Member No.: 12,251	Hi, how do i check if the variable is comming from the same server as the page? Example, lets say i have a log in... the page it submits to says somthing like this: $user=$_POST['user']; $pass=$_POST['pass']; how do i make sure that sombody didnt make their own form on their computer, or somthing, to submit the info to my site? I only want submitions from MY site... not sombody else... Thanks!! (list)

Tyssen View Member Profile Find Member's Posts	Apr 7 2006, 02:16 AM Post #2
Group: Members Posts: 1,161 Joined: 9-May 05 From: Brisbane, QLD Member No.: 6,818	You could use one of PHP's reserved variables - http://au.php.net/reserved.variables - to make sure the script has been submitted from your site. (list)

galexcd View Member Profile Find Member's Posts	Apr 7 2006, 04:33 AM Post #3
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 1,020 Joined: 25-September 05 From: L.A. Member No.: 12,251	Not to be annoying or anything, but im a little new to PHP could you give me an example thanks! (list)

Saint_Michael View Member Profile Find Member's Posts	Apr 7 2006, 05:06 AM Post #4
$p4m 0n j00 $h4m3 m3 0nc3 $p4m 0n m3 $h4m3 m3 7\/\/1c3 Group: [HOSTED] Posts: 6,444 Joined: 21-September 04 From: 9r33\|\\| 399$ 4\|\\|D 5P4/\/\ Member No.: 1,218	well you can make your own forms in php that will be directed from your site to your email. what I suggest is go to pixel2life.com to read up on some of those tutorials and try them out. also search php form scripts as well which should help oyu even more. But im not aware of people making their own form scripts and then emailing it to you that would be a waste of time and could lead into spamming as well. (list)

WindAndWater View Member Profile Find Member's Posts	Apr 7 2006, 08:14 AM Post #5
Advanced Member Group: Members Posts: 106 Joined: 1-April 06 Member No.: 21,148	What I think Tyssen means is that in your form you should include a hidden field that has the server address (or some other identifying characteristic) and compare it to your actual server address. CODE <form action = "wherever.php" method = "post"> [All of your form fields] <input type="hidden" name = "sendingIP" value = "<?php echo "$_SERVER['SERVER_ADDR']" ?> </form> And then in your second php page you can check CODE if($_POST['sendingIP'] != $_SERVER['SERVER_ADDR']") echo "This form was submitted from the wrong server." else //do stuff However, something like the server IP address can also be faked. I'd suggest using sessions instead. A fair session tutorial's at http://codewalkers.com/tutorials/32/1.html (list)

BuffaloHELP View Member Profile Find Member's Posts	Apr 7 2006, 08:25 AM Post #6
Desperately seeking "any key" to continue... Group: Admin Posts: 3,467 Joined: 23-April 05 From: Trap17 storage box Member No.: 6,042	I have been playing around the similar call with GFXTrap.com and I am using $something = $_REQUEST["variable"] as my required input before submitting. As I understand it, $_POST[ ] accepts no matter what when submit button is pressed. Using $_REQUEST allows to place Boolean condition before submitting. (list)

Hamtaro View Member Profile Find Member's Posts	Apr 7 2006, 05:19 PM Post #7
Super Member Group: Members Posts: 372 Joined: 14-October 04 Member No.: 1,736	I'm not sure how easy this can be faked, but one thing you can do is to use $_SERVER['HTTP_REFERER'] and use a string comparison function (like strstr()). An example could be: CODE if(!strstr('YOUR_WEBSITE_URL') { echo "Error: Incorrect Server!"; } else { //Your form stuff here } You would need to replace YOUR_WEBSITE_URL with your site's URL, obviously. I'm not sure if browser HTTP Refers can be disabled in the browser (I think they can), but that may be one of the best options. That's about the only way I would know how to do it. (list)

galexcd View Member Profile Find Member's Posts	Apr 8 2006, 05:54 AM Post #8
Define:EVIL PROGRAMMER (ē'vəl prō'grăm'ər)- n. An organism that converts caffeine into evil software. Group: [HOSTED] Posts: 1,020 Joined: 25-September 05 From: L.A. Member No.: 12,251	Thanks so much all of you!!! especially windandwater! All your help has been greatly appriciated! (list)

Spectre

Apr 9 2006, 10:04 AM

Post #9

Privileged Member

Group: Members
Posts: 874
Joined: 30-July 04
Member No.: 246

There isn't really a way you can be 100% certain the form data wasn't faked. Referer, cookie and POST data can very easily be sent in a manipulated form. For example, I could forge headers along these lines and send it to your server, and it would be none the wiser:

CODE

POST /script.php HTTP/1.1
Accept: */*
Connection: close
Host: your-host.com
Referer: http://your-host.com/page.html
Cookie: fake-cookie=fake-cookie-data;
xxx-type: application/x-www-form-urlencoded
Content-Length: 3

abc

(Note that xxx = Content - IPB is filtering it out).

A session ID can also be easily captured prior to submitting the data (it will most likely be sent either via a cookie, or attached to links), and then be posted along with it. Simply put, and just to re-iterate, there is no 100% certain way you can be sure form data is coming from a page on your server.

This post has been edited by Spectre: Apr 9 2006, 10:06 AM