please help me stop receiving $_POST from outside websites

Beginners - Learning PHP
#1

hello, please help

sorry if this has come up twice but the forum said i had an error

i have spent alot of time trying to figure out some PHP and HTML programming to build a members site, its not live but basicaly a trial project before the real thing

what i have found tho, it that if i have my script on a server and i have request to receive a $_POST[‘name’] for example, anybody on any site can fill that $POST by posting their variables to my site making it very insecure :frowning:

i use sessions on the script and some md5 identifiers, but if people can figure out the identities then they can add that to their scripts.

So what im basicaly asking is… is there any way to identify where the post is comming from and ensure it has only come from my own script and either divert the false entries or block them.

please if you are able to answer, please keep it fairly simple if possible as im still not all that clued up

many many thanks for looking

Nath

#2

A simple way would be to do something
[php]
define(‘AUTH’, 1);

//then before you do anything on your site
if(‘AUTH’ == 1) {
if(isset($_POST[‘name’])) {
// do rest of stuff
}
} else {
echo “You performed an illegal operation - hotlinking is not allowed here”;
}[/php]

You don’t have to use a global definition, a regular variable could be used, butr again, it can be changed through the post. If you want to get a little more advanced, look at htaccess files and mod rewrite rules. If they can’t see what’s being sent, they can’t change it.

#3

hi thanks for the reply

however…
you have put …“butr again, it can be changed through the post”, does that mean there will be still some way to $_POST in to my site from outside, because if so im not sure how i will be able to adapt this to prevent the post field being posted to from outside?

please advise
realy appreciate your advice

Also you put somthing about htacces files, i dont know how to use them so could you advise what id be lookin for to find out about using that to protect my post fields, thanks

#4

There’s always a way around any protection, and there’s no way to prevent all the possibilities. As for htaccess, look up mod rewrite rules. Basically, they take a given url and change it, so if you have someurl.com/index.php?id=1253, it could be changed to say someurl.com/1253. There’s few sites out there that don’t use it to some extent.

Now that i look at my example, it won’t work. You could use a hidden input though as a control measure, something like

[php]if($_POST[‘control’] != 1 || !isset($_POST[‘control’])) {
echo “Access denied!”;
} else {
// continue with the form processing
}[/php]
With that, its looking for an input value, but unless you look at the physical code, the user will never know its there, and since any input coming from the outside won’t know about it, it’ll just get kicked back. Course you could write a function or code to put in there that’ll send back a nasty message to the person doing the outside posting :slight_smile:

#5

I use htaccess mod rewrite on my site:

http://www.rayth.info

Home: http://www.rayth.info/home/
Projects: http://www.rayth.info/projects/

Actual page it loads:
http://www.rayth.info/index.php?page=PAGE

Sponsor our Newsletter | Privacy Policy | Terms of Service