Only Allow My Server to Post Data From a PHP Form
Been searching online for an answer and can't find anything. Let's say I have a simple PHP form. It uses session variables so it knows the user's username. Is there a way to prevent a user from logging in, then opening another tab in their browser and using a copy of that form located on their server and submitting the values to my form that processes the values? I know I can check the header, but that can be faked. Same thing with the IP address. I just want to be able to know with certainty that when a form is submitted, it came from a user using my form on my server. My actual need is a little more complicated than this, but the general premise is the same, so I tried to make it as simple as possible. Thanks.
can you have your form look for a file stored in a private directory prior to submission? I would imagine you could have this file in a folder inaccessible to the outside world, but browseable by the script using a relative path? If file not exist, then form doesn't work. I can't give more specifics than this with my limited knowledge, unfortunately, but maybe this sets you on the right path.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use a CAPTCHA test.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
But really, what Dave Baldwin said: "On the other hand... if it is the same form with the same values... what difference does it make?"
ASKER
Thanks All. It would take all day to explain why I'm really asking, but this definitely points me in the right direction and will solve my issue.
You're welcome, glad to help. Basically, the more different things you can check, the more you can 'secure' your form. Most people who try to break in are generally lazy, they don't want to work any harder than they have to.
One thing that is useless is 'hidden' input fields. Those will be collected the first time someone scans your form page.
One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption. People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.
One thing that is useless is 'hidden' input fields. Those will be collected the first time someone scans your form page.
One thing that is Necessary for any kind of 'private' or 'personal' data is SSL/TLS for HTTPS encryption. People who have the resources to capture your network traffic will be able to 'see' everything if it is not encrypted using SSL/TLS.
ASKER
Excellent points Dave, thanks again for all your help on this. It's very much appreciated.