Must submit from that form.

lucidfx

I was wondering how to make a form so that the person must submit from that form.
ie. If there is a web form you can make your own form with the same named variables and then put the action to =http://thewebsite.com/theformname.php

But I dont want people to be able to do that. Can i check that the person submitted that data from that Form and not any other form, without using sessions?

Thanks.

tinuviel

Ryan,
Your question is really confusing...can you restate it with a better example and I'll try to help, Thanks!
Tin

Ryan Doom wrote:

But I dont want people to be able to do that. Can i check that the person submitted that data from that Form and not any other form, without using sessions?

Thanks.

lucidfx

Ok.
when you have a form you set an action to it
like the form is index.php and you set the action to index.php and then check if $submit it set then do whatever the form should do.

BUT. someone could find what values are in the form and make a page of their own to manipulate <hidden> values and then submit those to change how the form works.

I was just wondering for added security if there is an easy way to check that the form was submitted from the real form. and not an artifical one.

make more sense?

craigh

how about including a hidden form field that you check and see if it is what you set. Since they wouldn't be able to check that, they won't know to set it at a certain value - of course you must be using POST and not GET for the field values to be hidden.

lucidfx

If you put a hidden value in the form though you can still view source and see that
<hidden =whatever>

so they can do the same.

craigh

yeah - hadn't thought of that. but at least it takes a determined hacker to get that far...

;-)

kparker

Looking at $HTTP_REFERER is better, but still far from secure.

lucidfx

Hahah I don't want to list a website on here but there was a site that had this as a weak point so i was wondering what to do. They put a price value in a hidden field. Im building an ecommerce site right now and dont put any price fields in like that i always grabs from the db for security purposes, but it would be cool to super verify that. Well i just made a copy of that form and changed the prices to a penny and submitted and it added it to the cart as that price on their website. So, they better have someone eye over those orders.

lucidfx

ok maybe ill try that and see how good that works out.

thanks

Anon

How about registering a session variable on the initial form page. There is no way to fake a session id from another domain unless you specifically allow this.

Since sessions all go on behind the scenes (server side), there will be no evidence of this to the possible attacker.

<?php
session_start();
if (!isset($submit)){ //Display Form
echo "<form action=index.php>";
echo "<input type=text name=textbox1>";
echo "<input type=hidden name=submit value=submit>";
echo "<input type=submit value='GO'>";
echo "</form>";
$session_ok="VALID";
session_register("session_ok");
}

else { //Act on form submission
if (session_is_registered("session_ok"){
//Do you stuff because the session is registered
}
else {
// I would log and redirect the individual
}
}

This is pretty rough but I think it will work. I'm sure there may be another way to do this. There always is. I'm sure if this is totally wrong someone will let me know. 🙂

lucidfx

Thanks, no thats not wrong, i just wanted to verify it without overhead of session variables just wondering if there was some cool way in php to do it that i wasn't aware of.
Thanks though 🙂

Ryan