Security Issue?

renegade33

I have a registeration page where people register to my site and I add them to the database. Now I know it's possible for people to simple go to "File\Save As". download the html version, put in whatever info they want and change the <form action path to the FULL URL which would submit it to my page with their custom information. Even though I use htmlspecialchars in order to prevent SQL injection. Is there an easier way to make sure that only pages from that domain can submit a form?

the onnly way I thought of doing it is using $_SERVER['HTTP_REFERER']; and looking at it to see if it contains my server's IP or domain name.. and if not then don't let them register and track their IP.

this seemed to work when i tested it but then today when i looked i saw around 54 IP addresses there.. around 17 unique ones.. some were googlebots but others were just normal IPs.. i know they cant ALL be trying to register with a custom page. SO whats an easier way to accomplish this?

thanks a lot

renegade33

anyone??!!!

scott300

convert the login into a .php file then no one can take the source caus php is a server side script

renegade33

haha thast not my problem.. the file IS in php.. but once you get the php file on the client side.. you can save the html version of it.. change the ACTION tag in a form and submit it back to the server

madwormer2

You could set a session variable, and check it, but this is easily gotten around.

HTTP_REFERRER is also not very reliable, and can often be empty.

To be perfectly honest, as a small site, I doubt people are going to really want to "cheat" the signup process. As long as there are people out there that want to, they will.

Just don't panic, and let it pass, it's not really that much of a security problem, especially if they can just visit the site and do it from there anyway.