On Fri, 17 Nov 2006 17:54:56 -0600, John wrote:
> R> you may want to look at the parse_url and explode functions.
> Thanks, I'll look into that
Also, try basename().
> R> you do realize that the referer, should it exist <...>
> Good point, thanks for pointing that out. Yes, I was aware of that it
> didn't come to mind. The security isn't so much an issue as that's already
> handled, though if someone has their referrers turned off, it would be a
> problem.
>
> I'm trying to establish three things before I do a block of processing
> a) a form was submitted
> b) a processing flag was previously set to process
> c) the form/data being submitted/processed is from the correct page - which
> was where the referring url came in.
>
> Any other suggestions or alternatives for c?
Well, it depends on how secure you want it to be. You could do:
'<INPUT type="hidden" name="referrer" value="' .
md5(basename($_SERVER['PHP_SELF'])) . '">'
on the form page, and check for the value on the receiving page:
if (empty($_POST['referrer']) || !in_array($_POST['referrer'],
$list_of_known_md5_pages)) {
// User is messing with ya!
} else {
// OK, let 'm through.
}
I would recommend adding a little string to the filename right before it's
md5'ed, as a smart user may quickly figure out
md5(basename($_SERVER['PHP_SELF'])) and forge it.
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
