Form Security
- From: Scott <nospam@xxxxxxxxxx>
- Date: Thu, 09 Mar 2006 14:42:45 -0500
I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:
<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION['code'] = $code;
?>
Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">
On the page receiving the form:
<?php
session_start();
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Your thoughts?
Scott
.
- Follow-Ups:
- cURL -> GreaseMonkey
- From: Csaba Gabor
- Re: Form Security
- From: Scott
- Re: Form Security
- From: Chung Leong
- Re: Form Security
- From: Justin Koivisto
- cURL -> GreaseMonkey
- Prev by Date: Re: PHP5 considered Beta (modules coexisting with PHP 4)
- Next by Date: Re: Better Ways Compare Strings: Exact Matches
- Previous by thread: pqsql fieldnames
- Next by thread: Re: Form Security
- Index(es):
Relevant Pages
|
