We help IT Professionals succeed at work.

Only Allow My Server to Post Data From a PHP Form

Jason92s asked
Last Modified: 2014-08-27
Been searching online for an answer and can't find anything.  Let's say I have a simple PHP form.  It uses session variables so it knows the user's username.  Is there a way to prevent a user from logging in, then opening another tab in their browser and using a copy of that form located on their server and submitting the values to my form that processes the values?  I know I can check the header, but that can be faked.  Same thing with the IP address.  I just want to be able to know with certainty that when a form is submitted, it came from a user using my form on my server.  My actual need is a little more complicated than this, but the general premise is the same, so I tried to make it as simple as possible.  Thanks.
Watch Question

Trenton KnewOwner / Computer Whisperer

can you have your form look for a file stored in a private directory prior to submission?  I would imagine you could have this file in a folder inaccessible to the outside world, but browseable by the script using a relative path?  If file not exist, then form doesn't work.  I can't give more specifics than this with my limited knowledge, unfortunately, but maybe this sets you on the right path.
Fixer of Problems
Most Valuable Expert 2014
This one is on us!
(Get your first solution completely free - no credit card required)
Most Valuable Expert 2011
Author of the Year 2014

Use a CAPTCHA test.

But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"


Thanks All.  It would take all day to explain why I'm really asking, but this definitely points me in the right direction and will solve my issue.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

You're welcome, glad to help.  Basically, the more different things you can check, the more you can 'secure' your form.  Most people who try to break in are generally lazy, they don't want to work any harder than they have to.  

One thing that is useless is 'hidden' input fields.  Those will be collected the first time someone scans your form page.

One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption.  People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.


Excellent points Dave, thanks again for all your help on this. It's very much appreciated.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.