Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    me2
    me2 is offline
    New Coder
    Join Date
    Oct 2007
    Posts
    88
    Thanks
    8
    Thanked 3 Times in 3 Posts

    POSTs only from one site

    is there a way to check if post requests only come from the host site or not

    i tried this
    PHP Code:
    if(isset($_POST) && preg_match("/" $_SERVER['SERVER_NAME'] . "/i",$_SERVER['HTTP_REFERER'])){
        
    //code to be executed here

    and i found out that $_SERVER['HTTP_REFERER'] was not set in my phpinfo thing so that way couldnt work.. ideas or scripts that you use would be appriciated

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,151
    Thanks
    2
    Thanked 335 Times in 327 Posts
    The HTTP_REFERER (all the HTTP_xxxxxx) headers are optional, may or may not be set, and can be faked (the popular phproxy web proxy script sets the HTTP_REFERER to be the same as the site being requested so that all requests look like they came from someone already on the site of the page being requested.)

    The best you can do is start a session and set a session variable to some known value on the page your form is on and then start/resume the session on your form processing page and check that the session variable exists with the value you expect. This will require that the person (or a script) at least visits the page that your form is on to establish the session.

    If you are having a problem with spam content, anything you can do to the form to make sure it is your form submitting to your form processing code can be figured out and bypassed. Your form processing code is the last line of defense. You must also validate all input from the form and detect the spam content or email header injection attempts and discard the submitted data.
    Last edited by CFMaBiSmAd; 11-26-2007 at 02:17 AM. Reason: fixed word
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    me2
    me2 is offline
    New Coder
    Join Date
    Oct 2007
    Posts
    88
    Thanks
    8
    Thanked 3 Times in 3 Posts
    i have taken your idea and is using sessions now and it is working great..

    i was just wondering y does isset($_POST) always return true even when i dont submit anything

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,151
    Thanks
    2
    Thanked 335 Times in 327 Posts
    A form submits an empty $_POST array when nothing is set, but the variable $_POST exists, so isset() is true.

    You could use empty() instead, it will detect an empty array.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •