RE: script to check if form is submitted from the same page?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

And I assume that this should be reused to minimize the time spent on this
by creating a form class or function, correct?

I have been thinking about this too, and it makes a lot sense to do like
this.

/Peter


-----Original Message-----
From: Richard Lynch [mailto:ceo@xxxxxxxxx] 
Sent: Tuesday, August 15, 2006 7:47 AM
To: Afan Pasalic
Cc: ceo@xxxxxxxxx; php-general@xxxxxxxxxxxxx
Subject: Re:  script to check if form is submitted from the same page?

On Sat, August 12, 2006 5:57 pm, Afan Pasalic wrote:
>         You're talking about something like captcha, right?

No.

FORM PAGE:
<?php
  $token = uniqid();
  //the following line is a gross abuse of a lack of error-checking:
  mysql_query("insert into tokens (token, used) values('$token',
'valid')";
?>
<form ...>
  <input type="hidden" name="token" value="<?php echo
htmlentities($token);?>" />
</form>

PROCESSING PAGE:
<?php
  $token = $_POST['token'];
  //validate token here as 32-char alphanumeric or whatever uniqid()
outputs...
  $used = mysql_query("select used from tokens where token = '$token'");
  $used = mysql_result($used, 0, 0);
  if ($used == 'valid'){
    //process form (more bad code follows)
    mysql_query("update tokens set used = 'invalid' where token =
'$token'");
  }
  else{
    //You cannot re-submit this form.  Sorry.
  }
?>

>  Richard Lynch wrote:    On Sat, August 12, 2006 1:55 pm, Afan Pasalic
> wrote:           could I use this code to check if form is submitted
> from the same page/same domain  if ($_POST['form_submitted'] ==
> 'Yes') {     if (preg_match($_SERVER['HTTP_HOST'],
> $_SERVER["HTTP_REFERER"]) == 0)     {         die ('^&amp;%*^%#@#');
>    } }            No.  HTTP_REFERER is completely unreliable.  If you
> want to be sure of the source of your POST data coming from your
> form, you need to send a unique unpredictable token in the FORM, and
> log it when you send the FORM, and then compare what comes back.


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux