source of form submit

cody7

What is the best way to detect the URL where the form has been submitted, here’s an example

"www.domain.com/page1.php" has a form that will be submitted to "www.domain.com/page2.php". I need to be sure that all variables that will be submitted to page2.php are from page1.php of the same domain or else I have to deny the request.

Thanks you for your help

rowanparker

Well, you could check the referrer but be warned that can easily be faked.

Another way, you could put a random string in the form as a hidden value (and store it to a session var) then just check for it (against the session var) on the next page.

bpat1434

You could use the referer header (note that it's "REFERER" not "REFERRER" in the $_SERVER array); but as rownparker said it's easily faked AND not all servers will send them.

The random token might help, except that too can easily be faked. What you could do is use an encryption method ([man]mcrypt[/man]) and encrypt the url and store that as a hidden field on page1.php. Then on page2.php decrypt it. If that decrypted line doesn't have the URL you want in it, then deny it.

Also, in order to make it look "random" so that a hacker doesn't get the bright idea to try and guess at your encryption, try prepending it with the current time, and appending the URL with the time. That way the beginning and end always changes.