posting data from external site to php script?

Question:

exxos

2009-02-19 15:58:26 UTC

I have a script which passes data to another php script just using hidden form variables, all works fine. Though the problem if, if someone posts data to the php script from an external site after simply viewing the output php source code, then can force data into the php script which did not actually get generated by the hosting site...

the only thing I can think of doing is checking the referrer url to see where the data was coming from, but with programs which can fake the referrer url it does not really help much.

So if there any way to check and block data being sent to the php script on the server from external sites ?

Four answers:

anonymous

2009-02-19 16:08:06 UTC

Who ever said use a firewall does not understand PHP... Disregard him completely.

------------------------

Why would you ever use hidden forms to send data you do not want to be tampered with?

If it is a hidden form and the data you have in the form is consistent (the same every single time someone uses it) just do...

if($_POST['hiddenform'] == "whatever the string of text is")

{

your script

}

else

{

echo "The hidden form has been tampered with";

}

--------------

The person below me is ALSO incorrect... Since the HTML holds not only the value but also the "name"...

So they could easily change it... they just have to find "name=blahblah"

and they got in!

alanjaldred

2009-02-19 16:11:12 UTC

What method are you using to send the variables to the second page via the form? You should use the method 'post' which makes variable names and data invisible in the url. This will stop any hackers from seeing the variable names. This means people will not be able to insert unwanted text/code etc. http://www.w3schools.com/php/php_post.asp

-------------------------------------------

To the guy above.

Users will not be able to see the name when using the method post, regardless to whether they view the source, or read the url, it is only when using the method 'get' that users can see the name AND the posted variable. Here is the link http://www.w3schools.com/php/php_post.asp

anonymous

2016-02-28 06:56:03 UTC

To have a good website structure, I would suggest that you use a content management system or make use of a blog engine as your content management system. By this you can have comments on selected posts and pages. You can also do more and have a full of control on your website and how it would handle users and visitors usage...

Blackcompe

2009-02-19 16:05:11 UTC

I think you'd have to take care of that using a firewall.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese