View Full Version : Deny another page's access

05-23-2008, 03:48 PM
Hi, i wonder if it is possible to deny another page's access? Let's say i have a update function. My script is written in update.php, there is some hidden input value i have added using the <input type="hidden" value="value"> function. Then it will be submitted to update2.php.

If someone view source in my update page, they will know the hidden value and if they replicate my form (with all the input and change the value) and then use the action="www.my.com/site/update2.php". Then they can alter the value that is supposed to be right?

Is there a code that allows only post data from a certain site? Like it only accept data from www.my.com/site/update.php but not any other site like www.your.com/site/hack.php ?

05-23-2008, 03:58 PM

You could check $HTTP_SERVER_VARS['HTTP_REFERER'] in the code that will receive the form.

05-23-2008, 04:24 PM
Thanks, useful!~

05-23-2008, 06:38 PM
$HTTP_*_VARS are deprecated; use $_SERVER/$_POST/$_GET/$_SESSION/$_COOKIE instead. Also, the referer is supplied by the user, so it can't be fully trusted.

05-23-2008, 07:25 PM
How about a hash function? Base it off of something that changes (like the time minus the last digit) so that the key will only be valid for 10 seconds or so. That way they can never fake a session unless they: A) grab a working key within 10 seconds of the form being submit, B) figure out your hash function and implement it themselves to give them working hashes.

It's not fool proof, but it'll stop most people. Who exactly are you looking to stop? Human users or bots?

05-23-2008, 08:36 PM
You could try something like this:




Add an if statement to check the session variable:

if ($_SESSION['FORMID']=='myformname'){ //process} else {//don't process}

05-23-2008, 08:55 PM
Don't forget to session_start() (http://php.net/session_start) at the beginning of the script.

05-24-2008, 05:31 AM
Thanks for the reply. But if i uses the session function, can't someone copy it out too? And i'm trying to prevent human users from exploiting using the same form from another site and link it to my update2.php.

and i don't really get how should i use a session function in this case. Any explanation? I just need to make sure that in update2.php the information submitted to it MUST be from update.php (both from my site of course)

05-24-2008, 09:34 AM
But if i uses the session function, can't someone copy it out too?
No, the session variables are stored on the server. The only thing that is sent to the user is a single identifier cookie that's unique to each user. It can't really be shared because the session manager checks the user's IP while validating the cookie, and the session would expire anyway.

05-24-2008, 12:34 PM
Thanks for the reply. But i don't really know how i should use the session function in my case tho, which is i just need to make sure that in update2.php the information submitted to it MUST be from update.php (both from my site of course)

05-24-2008, 05:46 PM
Sessions variables allow you to share data between pages on the same site (and only the same site) without using get or post and they are not visible in the source code of your page like a form fields. Because of this a form on another system cannot pass a session type variable to pages on your site.

The use of them is not much more complicated than using a regular variable. I suggest you google something like 'php session tutorial' to get a more lengthy explanation.

I don't think there is a 100&#37; fool proof method. If the session method is not strong enough you might need to add a captcha field (one of those quirky images that contains some data you have to enter into a confirmation field).

If that's still not enough then you probably need to have the users login before they access the forms.