On Sat, August 12, 2006 5:57 pm, Afan Pasalic wrote:
> You're talking about something like captcha, right?
No.
FORM PAGE:
<?php
$token = uniqid();
//the following line is a gross abuse of a lack of error-checking:
mysql_query("insert into tokens (token, used) values('$token',
'valid')";
?>
<form ...>
<input type="hidden" name="token" value="<?php echo
htmlentities($token);?>" />
</form>
PROCESSING PAGE:
<?php
$token = $_POST['token'];
//validate token here as 32-char alphanumeric or whatever uniqid()
outputs...
$used = mysql_query("select used from tokens where token = '$token'");
$used = mysql_result($used, 0, 0);
if ($used == 'valid'){
//process form (more bad code follows)
mysql_query("update tokens set used = 'invalid' where token =
'$token'");
}
else{
//You cannot re-submit this form. Sorry.
}
?>
> Richard Lynch wrote: On Sat, August 12, 2006 1:55 pm, Afan Pasalic
> wrote: could I use this code to check if form is submitted
> from the same page/same domain if ($_POST['form_submitted'] ==
> 'Yes') { if (preg_match($_SERVER['HTTP_HOST'],
> $_SERVER["HTTP_REFERER"]) == 0) { die ('^&%*^%#@#');
> } } No. HTTP_REFERER is completely unreliable. If you
> want to be sure of the source of your POST data coming from your
> form, you need to send a unique unpredictable token in the FORM, and
> log it when you send the FORM, and then compare what comes back.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
