Hi,
In some situations we have to client-side in order to format inserted or updated contents using a form. This is may be clear when using text-area replacement such as FCK Editor. We need a way to prevent the following scenario:
The user browse to the form page http://www.mysite.com/form.php. There he will using the browser Save As and then save complete HTML page of the form page.
Now he ready to change the source code of the page. He will find the form's tag action is set to form.php. All he have to do is set it as action="http://www.mysite.com/form"... and he may make some additional modification in text area replacement so he may set it back as text-area and then makes its value as he want. These value may be at least some customized HTML tags which may corrupt the look and feel of the page that render the contents.
You should remember that we need rich text editor, but at some customization to control the content appearance.
All he have to do now is hit submit and the data will be inserted or modified. The session does not play any role in this situation because he already registered a session by his first entrance.
I'd like to discuss the rule that $SERVER['HTTP_REFERER'] may play in such situations, suppose this demonstrative code:
// we will use a function to test $_SERVER['HTTP_REFERER']
if (chkRefere($_SERVER['HTTP_REFERER'])){
// returns true
//Ok Do SQL
}
else{
//print out error and die
}
The chkRefere will use the fact that $SERVER['HTTP_REFERER'] will have blank value if it comes from client computer and also if it comes from another website the refere will not match the website URL i.e It should check the availability of:
http://www.mysite.com at the first of the string value of $SERVER['HTTP_REFERER'] or returns false
What do you think about this technique? Is there anything missing? Is there any way to beat it? or May it produces troubles in the ordinary script execution?
I'm waiting your replies...
