View Full Version : POSTs only from one site

11-26-2007, 01:52 AM
is there a way to check if post requests only come from the host site or not

i tried this

if(isset($_POST) && preg_match("/" . $_SERVER['SERVER_NAME'] . "/i",$_SERVER['HTTP_REFERER'])){
//code to be executed here

and i found out that $_SERVER['HTTP_REFERER'] was not set in my phpinfo thing so that way couldnt work.. ideas or scripts that you use would be appriciated

11-26-2007, 02:13 AM
The HTTP_REFERER (all the HTTP_xxxxxx) headers are optional, may or may not be set, and can be faked (the popular phproxy web proxy script sets the HTTP_REFERER to be the same as the site being requested so that all requests look like they came from someone already on the site of the page being requested.)

The best you can do is start a session and set a session variable to some known value on the page your form is on and then start/resume the session on your form processing page and check that the session variable exists with the value you expect. This will require that the person (or a script) at least visits the page that your form is on to establish the session.

If you are having a problem with spam content, anything you can do to the form to make sure it is your form submitting to your form processing code can be figured out and bypassed. Your form processing code is the last line of defense. You must also validate all input from the form and detect the spam content or email header injection attempts and discard the submitted data.

11-26-2007, 02:48 AM
i have taken your idea and is using sessions now and it is working great..

i was just wondering y does isset($_POST) always return true even when i dont submit anything

11-26-2007, 03:06 AM
A form submits an empty $_POST array when nothing is set, but the variable $_POST exists, so isset() is true.

You could use empty() instead, it will detect an empty array.