Hello Pablo, Thursday, April 8, 2004, 6:32:06 PM, you wrote:
PG> At any rate, if you're relying on HTTP_REFERER to make sure a script is PG> being called from a certain location, I don't think it's very reliable. PG> Does anyone have any ideas as to a workaround for this? There are probably better, but I did come up with something specifically for this a while ago: Basically all form input went via a redirect script first. Form 1 (in the users browser) submits everything to a PHP script that does nothing but suck in all of the $_POST values and then itself redirects this to the actual PHP processing script it was meant for. It redirects using an HTTP header and POSTing all of the form values it had received originally. When developing I used the Snoopy class to handle this for me. It works for 2 reasons (1) you ALWAYS know the IP address of the script you are receiving the data from (because it's the same server*) and (2) the redirect script can also add an extra POST variable that identifies it is from a secure source (perhaps a private key, or md5 hash or similar). Or it could use your own HTTP headers or User Agent for further checks. * although it doesn't have to be Downsides: Your site is effectively processing all form data twice. Depending on traffic/size of forms/etc this probably isn't desirable. But, it does actually work and AFAIK cannot be easily spoofed. -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
