Re: Form Security
- From: "Chung Leong" <chernyshevsky@xxxxxxxxxxx>
- Date: 9 Mar 2006 14:27:02 -0800
Scott wrote:
I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don't want to use the "enter the code shown in the image" method. I know
the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
doing something similar to this:
<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION['code'] = $code;
?>
Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">
On the page receiving the form:
<?php
session_start();
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>
I'm looking for feedback on this method. Do you think this is an
effective way to ensure the input you're receiving is indeed from your
form? Obviously, the random code key will be visible to the client, but
without the matching session variable, it will be useless.
Your thoughts?
Scott
Yes, that's precisely what you want to do. The function uniqid() can
also be used to generate the random key.
A check on HTTP_REFERER is actually sufficient too, since ordinary
users aren't going to be spoofing the Referer headers.
.
- Follow-Ups:
- Re: Form Security
- From: Jerry Stuckle
- Re: Form Security
- From: Justin Koivisto
- Re: Form Security
- References:
- Form Security
- From: Scott
- Form Security
- Prev by Date: Re: Form Security
- Next by Date: Re: Update statement causes mysql varchar field to be set to empty string
- Previous by thread: Re: Form Security
- Next by thread: Re: Form Security
- Index(es):
Relevant Pages
|
