View Full Version : Read POST only by script from MY domain

02-15-2006, 06:21 PM
How to make my script check if
come from within my domain
(if not - the script should exit)

02-15-2006, 07:12 PM
The best way to do this would be to set a $_SESSION variable when you output the form, and check for it (and then unset it) when you come to do the form processing.
Anything of the form $_SERVER['HTTP_XXX'] can be spoofed, so shouldn't be relied upon.

Really though, you should really be sanitising th $_POST array regardless of where it comes from, so checking shouldn't really be necessary.

[edit] to realise that I'm not convinced my 1st paragraph (which is essenaitlly the same as the post that follows this) would actually work....will have a think :|

02-15-2006, 07:14 PM
You can use $_SERVER['HTTP_referer'] but it can be changed by the client side. The ebst way to do it is to set something in a db when ever the users is on a page that can call a form then allow them to send the post and whipe the db when they posted the info.