Environment Variables

[JohnnyT]

I have a form whereby someone fills in their details and it is passed to the next page which then updates an SQL database and gives them the standard 'Thanks' message.
However, I've become aware that this is very insecure because someone could make up their own form on a server and fire any info they wanted to my update page.
So my question is this...
Is there a way that I can check the URL of the previously visited page on my update page. Then I can make sure they came from my form.
I know you can do it in perl with the environment variables but I'm new to PHP and not sure of the syntax etc. Any help would be appreciated. Also do you know of any other security holes in a system like this?
Cheers

Johnny T I don't make mistakes, I'm merely beta-testing life.

 

[CliveC]

JohnnyT,
I too would be interested to know the direct answer to your question. However the form does not have to take you to a new page as you can trap the event with an, "onSubmit" and process the PHP database update within the same page.
HTH,
Clive

 

[phpPete]

From the manual:

$HTTP_REFERER
The address of the page (if any) which referred the browser to the current page. This is set by the user's browser; not all browsers will set this.

http://www.php.net

 

[JohnnyT]

Pete

Cheers for that. Just to clarify for Clive (as I have just finished the mods on my script) you can use it like this...

$Where_From = $HTTP_REFERER;

if ($Where_From != "

http://www.previouspageonyoursite.php")

{

echo "Stop trying to hack my site!";

}
else {
echo "Well done, your details are recorded!";

}
PS. I've found you can also use $IP_Address = $REMOTE_ADDR;
to log any hackers IP address. This is a good scare tactic. ie add a statement along the lines of &quot;Your IP address of <?php echo $IP_Address; ?> has been logged and a team of assassins despatched to bring me your head! (or something like that ;-))

Cheers again Pete

JT
I don't make mistakes, I'm merely beta-testing life.

 

[CliveC]

Thanks for the info, JohnnyT. However do not overlook that fact that as phpPete mentioned,

&quot;This is set by the user's browser; not all browsers will set this.&quot;

If I am understanding this correctly, you maybe could be sending your &quot;no-hack&quot; message to a legitimate user.

HTH,
Clive

 

[JohnnyT]

Whats the answer then? Does anyone else know how to stop people setting up a form on their own server and parsing dodgy information into a remote script?

Please help.

Cheers

JT

PS Thanks for pointing that out Clive. I'd be interested to know how many browsers neglect to set this variable. I don't make mistakes, I'm merely beta-testing life.

 

[CliveC]

What about my first suggestion?

 

[JohnnyT]

Clive

Thats a possibility but the scripts (8 of 'em!!) are already running and it would mean more work.
However, if there is no other way then I'll have to bite the bullet.

Cheers

JT I don't make mistakes, I'm merely beta-testing life.

 

[CliveC]

Please let me know how you ultimately solve it as this is a troubling security issue.
Cheers,
Clive

 

[KarveR]

You could of course just use one page;
if (!$submit){
echo form n stuff
}else{
echo &quot;ta for the info&quot;;
mysql stuff here
} ***************************************
Party on, dudes!