Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Feb 2006
    Thanked 0 Times in 0 Posts

    Read POST only by script from MY domain

    How to make my script check if
    come from within my domain
    (if not - the script should exit)

  • #2
    Senior Coder
    Join Date
    Sep 2005
    Thanked 36 Times in 35 Posts
    The best way to do this would be to set a $_SESSION variable when you output the form, and check for it (and then unset it) when you come to do the form processing.
    Anything of the form $_SERVER['HTTP_XXX'] can be spoofed, so shouldn't be relied upon.

    Really though, you should really be sanitising th $_POST array regardless of where it comes from, so checking shouldn't really be necessary.

    [edit] to realise that I'm not convinced my 1st paragraph (which is essenaitlly the same as the post that follows this) would actually work....will have a think :|
    Last edited by GJay; 02-15-2006 at 07:31 PM.

  • #3
    Regular Coder
    Join Date
    May 2005
    Michigan, USA
    Thanked 0 Times in 0 Posts
    You can use $_SERVER['HTTP_referer'] but it can be changed by the client side. The ebst way to do it is to set something in a db when ever the users is on a page that can call a form then allow them to send the post and whipe the db when they posted the info.
    Note: I do not test code. I just write it off the top of my head. There might be bugs in it! But if any thing I gave you the overall theory of what you need to accomplish. Also there are plenty of other ways to accomplish this same thing. I just gave one example of it. Other ways might be faster and more efficient.


    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts