simple question about post variables

mahmoudawad2004

i made a simple form to POST variables in "form.php" to "result.php"

but when i send these variables from any where or even from any file containing the varibales it affects the "result.php"

is there a way to restrict the variables to be sended only from the "form.php" file or the file i want ??

and thanks all for help

rpanning

Put a hidden field in the form. Ex:

<input type="hidden" name="from_form" value="yes">

Then check for that variable before processing the rest. Ex:

if (!isset($_POST['from_form']) || $_POST['from_form'] != 'yes') {
    exit('Error: Must send data from form.php');
}

mahmoudawad2004

thanks alot ..

but if anyone save the page form.php he will see this hidden content as it is html code and be able to send the information ... 🙁

rpanning

You could randomly generate the value of that hidden file. And then check if it matches on the second. This would be a little more complicated.

Another thought would be to use sessions and just set a session variable on form.php then check for it in result.php. They can't edit a session variable. Ex:

// form.php
session_start();
$_SESSION['from'] = 'form.php';
// Have the form here...


// results.php
session_start();
if (!isset($_SESSION['from']) || $_SESSION['from'] != 'form.php') {
    exit('Error: Must send data from form.php');
}

That might be a better solution as then you could change that from variable to the current page. So you could track were they're coming from on each page.

rehfeld

theres lots of ways you could make it harder for someone to do it(like above), but you cant really stop them.

one example would be to use sessions to store some data on the server. when they request the form, set a session variable to note that they got the form from you.

then when accepting the form, make sure that session variable exists.

but that will not stop them from getting the form from you, and then submitting thier own form from somewhere else.

you could even store a key in their session variable, and use that key to encrypt/decrypt the form field names, and do this both serversie and clientside with js, but all it will do is make it harder for them, it wont stop them.

mahmoudawad2004

thanks alot .. this i solved a part of this problem ...

but is there any way to know the page the let the user go to my page (result.php) ... ??