Re: [PHP] secure alternative to HTTP_REFERER

AraDaen wrote:
Im looking for info about a secure alternative to the use of $_server['http_refere'] to check in a script from where are arriving
$_post vars.

You could put a hash value into a hidden field on the form, and also store it in the session. When the form is submitted only accept it if the hashes match.

However, this is very easy to get around, so I suggest you consider why you think you need this level of checking. Assuming you're properly validating and escaping all input coming from outside the app, IMHO this type of "security" should not be needed.

-Stut
.

Relevant Pages

  • Which one of these two choices provides better randomness?
    ... I'm coding a simple PHP application that will store an user's session ... Since I would like to avoid dealing with the session id generation ... At the beginning I thought about using a SHA-512 hash of a random ...
    (sci.crypt)
  • Re: Querystring
    ... The only way to really do this is to store them in a Session. ... would write them to a hidden field a person could change them and resubmit ... > How do i ensure in page B that my Querystring is not ALTERED by somebody. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Sending a PHP array from an HTML form
    ... Store it in the session or as a hidden field in your form. ...
    (alt.php)
  • Re: Sending a PHP array from an HTML form
    ... Store it in the session or as a hidden field in your form. ...
    (alt.php)
  • Re: [PHP] One-page password-protected file
    ... In the script you store a hash of the password rather than the ... Can't you just use $_SESSION? ... exposing the password or the hash of the password in that regard. ...
    (php.general)