How can I secure a form processor file?

Posted on 2007-08-10
Last Modified: 2013-11-05
Simple question that I hope has a simple answer. I'm using PHP 5+ and Apache 1.3+ submits to and redirects to

How can I secure so that it only takes variables from  and still redirects to

I tried restricting '/directory/' with a password but then the form.php wouldn't hit it and redirect.
I also tried putting processor.php in a directory above the public folder but that didn't work either.

Thanks for the help
Question by:sportsbro
    LVL 27

    Accepted Solution

    > How can I secure so that it only takes variables from  and still redirects to

    I see at least two ways to do what you want.
    First is easy, but not 100% secure (but it safer then current implementation);
    second is secure, but not easy :-)

    1) First method doesn't require any PHP programming, it's based on checking Referrer: header in .htaccess
    Just create .htaccess in like:
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !=
    RewriteRule ^processor\.php$ - [F]

    Need to check, not tested.

    2) Second method is to use some shared storage (like SQL data base) to associate user with the request, then setup this association (add to SQL) in form.php and also add some extra hidden variable to transfer to processor.php. Then processor.php should check this variable against SQL and if not found, reject the request. Since current request should have short lifetime of such 'association' you should care of cleaning such entries from SQL.
    LVL 49

    Assisted Solution

    Option 1) would be buggy, as a lot of people have http_referers turned of, and therefor can't use your form.
    Option 2) sounds like a plan, but I think you could as well just use php's standard session.
     Use session_start() in both pages, then add $_SESSION['formVisited'] = true on the form page and if(!isset($_SESSION['formVisited'])) { /* illegal access */} .

    The session imlpementation can get as complex as you want it of course.


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
    If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to dynamically set the form action using jQuery.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now