How to check from where its posting ?

[AvisSoft]

Hi!

I have a signup form and i want to make sure that it is being posted from the website only and not from any other location. So how do i determine from where the form is being posted ? I am using POST method.

Thanks!

[visualAd]

The only real method of doing this is to use a client side image containing letters and numbers. The user must type copy wat is in the image before sending the form. This tutorial explains what you need to do to achieve this:

http://www.zend.com/zend/tut/tutorial-mehmet1.php

[AvisSoft]

Hi!

Hmm no i think i did not explained my question very well, let me re-phrase:

I have a form signup.htm whcih once filled takes the user to signup.php for processing.

Now i have certien hidden fields in the form ..which i want that user can't mess up with. So for this when a user posts the form i want to make sure that the form is posted from a certian web addres like my servers's address.

Can i determine the from where the form is being posted ? Like compare IP address or soemthing ...so if its not my server's ip then its not being posted from the website...!

Can something like this be done ?

Thanks!

[Arc]

Well, you could create a session on the page being posted from and then check to see if the session excits when you check the $_POST array. If it was posted from a different site then the session wouldn't excist unless they somehow postd it from your form first to create the session then left the site and reposted it again.

[visualAd]

Extending Arc's suggestion. If you have hidden data in your form that you don't want change, it is better not to send it in the first place. Create a session and store the hidden data in the session.

Ensuring the session has not been hijacked is a whole topic in its self. See this post for some tips on how to do this:

http://www.vbforums.com/showthread.p...68#post1925668