Avoiding someone to $_POST variables from other external website

spighita

Hello,
How do I avoid in my php code to check if the $POST variables are coming from the internal website and not someone is who is trying to $POST variables from an external website.

Would a HTTP_REFERER be enough?

Thank you,

laserlight

No, HTTP_REFERER can be forged. Generally, treat all incoming data as suspect. You can also search the Web concerning cross site request forgery protection in PHP as an additional measure that perhaps more directly addresses what you are trying to protect against.

knowj

Simply and REALLY dirty:

<?php
session_start();
//you would also need to check that both variables have been set
if ($_POST['hash']===$_SESSION['hash'])
{
//usual validation and data cleansing
}
else
{
echo 'Validation failed please try again!';
}
//set a session containing a hashed unique key
$_SESSION['hash'] = md5(time().rand(0, 50000));
?>
<form action="" method="post">
<fieldset>
<!-- your usual form fields -->
<input type="hidden" name="hash" value="<?=$_SESSION['hash']?>" />
</fieldset>
</form>

Ideally you would also be using SSL to reduce the risk of session hijacking.

spighita

Great answers. Thank you for your help.