Remote spoofing?

trooper

Whats the best way to prevent a valid user from viewing the source of a page and then saving it to their local server, changing a few values in the fields and posting to the server?

I want to somehow ensure that the script is being run on the correct server and not from someones local box (where they have edited some variable values)

Any ideas anyone

CHeers

planetsim

It wont stop them from viewing source or creating new feilds..

But
You should check where the form has come from.. And always check user input.. Changing field names shouldnt do anything if you have checked user data.

trooper

I do check my user input very carefully

i do all the right things - htmlentities / addslashes / trim etc

The reason i say a valid user is that the system has a login check so you need to be logged in to get in.

Thought about using $_SERVER['HTTP_REFERE'] but thats not good enuf

i did a if the referer doesn't have the site url in it then kick em out

I'd like to prevent people from actualy getting the to the damn script.

Hmm am racking ma brains on this one

How to stop a POST from anywhere apart from the site server

planetsim

You can always disable right click but that wont stop people from viewing your source.

Thats why i suggested making sure you check user input.

htmlentities / addslashes / trim is a good start...

make sure register_globals = off

HTTP_REFERER doesnt always work.. So i dont suggest using that.

So im not too sure on what you should do.. Maybe make a hidden feild for it.. Then use HTTP_REFERER to make sure..

You could probably search on this topic... Im sure there has been someone that has done a function to check all userdata..

trooper

Its not the actual user data that will be the problem but where the script origniated from you know

THankd for ya help

You on yahoo messenger?

planetsim

dont use YIM, Use MSN..