Howdy folks...new registrant here. I've used PHP casually for a couple years, but not extensively. I'm working on a simple feedback page for a site that sends mail through a form. PHP will be used to send the mail based on data posted to it from the previous page.

The question is can I tell where the _POST data came from somehow? What's to prevent someone from figuring out variable names and POSTing from a page they wrote themselves? I'm hoping there's a way to stop processing if it's not posted from the place I specify.

Thanks in advance,

Andy

You can check $_SERVER['HTTP_REFERER'], but that can be spoofed.

I suggest that you just validate all incoming data.

Thanks for the input...I just thought maybe PHP might more "aware" of where stuff was coming from. I don't think it will be a problem as people won't pick the destination email address, I just wanted to look into this before a problem could potentially arise.

Create a function that creates a hash of a string which you can then put into your form as a hidden var, then check that the return of the function agaisnt the $_POST of it. so something like.

[phpcode]
function getSessionHash($tag = false) {
global $WS, $_SERVER;

if (!$tag) $tag = $_SERVER['PHP_SELF'];
$label = $tag . getRemoteIP() . @$WS->SessID;
return base_convert(md5($label), 16, 36);

}
[/phpcode]

In this case $WS is a session class, not the normal PHP session one but one we use here, use yuo get the idea. also getRemoteIP() is a function we have to get the IP address as a string of proxy:ip