> Well, anything you get back from the client will be as GET
> variables, I think. So, if your forms only use POST variables,
> and you've turned on track_vars, then you can get your variables
> through $HTTP_POST_VARS() like $foo=$HTTP_POST_VARS('foo');
> If I'm wrong on this, I'm sure someone will let me know.
Well, if there is a GET and a POST variable of the same name,
the POST value will be used instead. This is a built in security
measure of either PHP, Apache or both.
However, what you suggest does not prevent someone from
viewing and saving the source to their machine, modify the
form variables and submit the version of the form on their local
machine. Doing this will set everything as a POST and will
bypass the check suggested above.
This goes back to what I said initially. I can check to see if
the REQUEST_METHOD is POST and check the HTTP_REFERER
to see if it is from our host (which it wouldn't be if the user
submitted the form from their local machine. However, the
problem arises in that the HTTP_REFERER isn't always set
because some browsers do not send that information to the
server.
So this leads me to the (another) question I had, but am not
sure anyone said, at what time and/or in what instances and/or
what browsers/versions do not send the HTTP_REFERER
information?
I really appreciate all the help and information everyone has
given with regards to this issue. You guys are great.
Chris
