On 6/26/03 at 10:48 AM, [EMAIL PROTECTED] (anthony) wrote:
> Hi,
>
> should I use $ENV{HTTP_REFERER} to check wether a form was sent from
> my site. Because I don't want people to download my webpage, put a
> link to a form, and modify some of the forms so it can crash the
> script.(eventough i tried to protect from that). The best way i can
> think of for the moment is http_referer
The HTTP_REFERER can easily be spoofed and in some cases is not included
at all, so this is not a foolproof method. The only way that I know of
to accomplish this is a bit complex, and involves sending some hashed
data along with the form which is then checked when the form is
submitted. Let me know if you want more info on this.
Having said that, it sounds like good form validation will do what you
are looking for. If a user modifies your form, it doesn't need to
'crash' anything, just don't accept form input that is not what it
should be. Check each incoming parameter. If it is invalid, slap the
user, or die, or whatever is appropriate.
Andrew
--
This post is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Any code
contained herein is likely UNTESTED and may cause your system
to explode upon execution. Furthermore, please be advised that
I am really just a Perl ninny, and you probably should not be
taking my advice in the first place.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
