The following situation is possible (and has happened;
lord knows I've done it on more than one occasion).
Names have been changed to protect the innocent.
<form method="post" action="/processform.php">
<input type="text" name="age">
<input type="hidden" name="year" value="2001">
<input type="submit" value="Submit">
</form>
Your average form. Fill in my age and hit "Submit"
The form data gets sent to "processform.php". Every
thing is all well and good.
As a user, I view the source and copy it to a file on my
local file system. I manually change the action to be:
"http://www.yoursite.com/processform.php"
and the year to be "1998". I open the file in IE and
click "Submit". The data, again, is sent to "processform.php"
on your server.
Everything is not all well and good.
Now, the inclination is to check the $HTTP_REFERER
and make sure that it is a page on your site. However,
that isn't really an option as it can be suppressed, spoofed
or the browser might not even support it. With this in
mind, what do you guys do to prevent something like this
from happening? How do you check to make sure that any
form submissions originate from your site?
thnx,
Chris
