> Not sure if I posted about this yesterday, anyway new > question. > I'm building a multi page form. So I"m using hidden > fields and echoing them to the next page in the loop. > > Now someone tells me this is dangerous. > "because someone can save the final page (with most > of the hidden values) locally, edit it, then load it > and submit from it to your final page, overcoming ALL > your previous validations. (yes, this is possible > for someone that knows how to ditch the HTTP_REFERRER > information)" > > So, a) guess I'd like to see if this is true. I > thought HTTP_REFERRER was the server variable for > grabbing everything before the script. Aside from > that there is nothing in the URL. > > I see these forms quite a bit. What do people think ? just use sessions instead of hidden fields http://us4.php.net/session dont use HTTP_REFERER for anything. It can and is not sent many times and is also not reliable. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
