"Jochen Kaechelin" <[EMAIL PROTECTED]> wrote in message
NFBBLHGFAKNLFNPOHMPHOEKLCFAA.jk@intern">news:NFBBLHGFAKNLFNPOHMPHOEKLCFAA.jk@intern...
> Waht might be the most secure method to check,
> if a certain page was reached by submitting a form
> instead of typing the adress directly?
Well, the HTTP_REFERRER is not reliable at all. Some agents (browsers) fill
this up with a bunch of worthless foo, so never depend on it.
The best way I can think of is to have some very secret and persistent key
on the server and hash it (perhaps with another value like the current
timestamp or the filename of the form-processor you want to redirect the
user from) and send the hash (and the other value, if you used one) to the
client as a GET parameter.
The page can then check to see if the hash is good. If it is (and the key is
kept secret), then you know the page was reached by the form-handler.
You can use the built-in md5 for this, but if security is a major concern,
get the mhash extensioin for PHP and use SHA1 or RIPEMD160, as md5 is known
to have weaknesses.
Dean Hall.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
