asked on blocking the posted data from outside of my domains
I use php,
I have a web page that I should not allow anybody posting data to my website except one specific web site.
How can I block all the posts coming from outside except one domain?
I want to allow a website to post my page an input but I need to block the rest of the world.
by the way, only the registered users can post data to my page, however I need to be sure that the data posted to my website must come from that specific domain.
How can I do that?
I have a web page that I should not allow anybody posting data to my website except one specific web site.
How can I block all the posts coming from outside except one domain?
I want to allow a website to post my page an input but I need to block the rest of the world.
by the way, only the registered users can post data to my page, however I need to be sure that the data posted to my website must come from that specific domain.
How can I do that?
PHP
Last Comment
Ray Paseur
ASKER
Dear Ray Paseur,
thanks to you, I know most of them. I used your login and registration article to create my page. I also used your form token article for my forms. And, Using an API key would be great, I'm sure.
I want to learn how I can block the users coming from outside of specific domain with $_SERVER['HTTP_REFERER']
can you give me an example?
I put a test page on my server and inside php code $_SERVER['HTTP_REFERER'] and it gives me only - ( a hypen )
thanks to you, I know most of them. I used your login and registration article to create my page. I also used your form token article for my forms. And, Using an API key would be great, I'm sure.
I want to learn how I can block the users coming from outside of specific domain with $_SERVER['HTTP_REFERER']
can you give me an example?
I put a test page on my server and inside php code $_SERVER['HTTP_REFERER'] and it gives me only - ( a hypen )
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Dear Ray Paseur,
I tested the solution, it works perfectly.
Thank you so much.
You are the master of everything about web.
Did you know that, you can see with Google Chrome Developers Tool whatever is posted ( it is supposed to be hidden but its not anymore ) to a webpage? You probably know it but,
if you check on Google Chrome > Tools > More Tools > Developers Tools you can see if you click Preserve Log Under Network ribbon everything a page posted ( hidden or not ) you see everything a page posts...
thank you so much again
I tested the solution, it works perfectly.
Thank you so much.
You are the master of everything about web.
Did you know that, you can see with Google Chrome Developers Tool whatever is posted ( it is supposed to be hidden but its not anymore ) to a webpage? You probably know it but,
if you check on Google Chrome > Tools > More Tools > Developers Tools you can see if you click Preserve Log Under Network ribbon everything a page posted ( hidden or not ) you see everything a page posts...
thank you so much again
You can't rely on this - the actual post comes from a browser sends a REFERER string in the Header - this can be very easily spoofed.
You should probably be looking at CSRF (Cross Site Request Forgery) as well to prevent posts from unwanted sources.
You should probably be looking at CSRF (Cross Site Request Forgery) as well to prevent posts from unwanted sources.
ASKER
Dear Julian Hansen,
Ray Paseur mentioned that too..
Thank you for the comment, I will search for the CSRF on the web. Thank you both
Ray Paseur mentioned that too..
Thank you for the comment, I will search for the CSRF on the web. Thank you both
So - he did - I missed that .
You're welcome, of course. And yes, Chrome Dev Tools are very helpful!
Before you spend too much time surfing the web for CSRF, read this article. It might have everything you need to know, all in one place!
https://www.experts-exchange.com/articles/28802/Improved-Form-Tokens-to-Guard-Against-CSRF-and-Screen-Scrapers.html
Before you spend too much time surfing the web for CSRF, read this article. It might have everything you need to know, all in one place!
https://www.experts-exchange.com/articles/28802/Improved-Form-Tokens-to-Guard-Against-CSRF-and-Screen-Scrapers.html
You can check the value in $_SERVER['HTTP_REFERER']
http://php.net/manual/en/reserved.variables.server.php
You can use an API key, or OAuth, or similar authentication "handshake."
https://www.experts-exchange.com/articles/12239/Introduction-to-Application-Programming-Interfaces.html
You can add a CAPTCHA test to the posting script.
https://www.experts-exchange.com/articles/9849/Making-CAPTCHA-Friendlier-with-Simple-Number-Tests-or-PHP-Image-Manipulation.html
You can use PHP client authentication.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html
You can use some kind of a form token.
https://www.experts-exchange.com/articles/28802/Improved-Form-Tokens-to-Guard-Against-CSRF-and-Screen-Scrapers.html