There really isn't a way to be truly sure. You might not even need to be in
the first place.
If for instance you have a login page that will display an error message ff
the login data was invalid, but if someone just typed in the address to the
login page you don't want to show that error message or even check to see if
it's valid, you can do a few things.
For one thing you can give the "submit" button on your form a name
attribute, so that it will send it's value with the form if someone uses it.
So then you can just check if that data was submitted. But that doesn't stop
anyone from just including "?submitbutton=Submit" into the title.
One thing you can do is use some crypt function on the current unix
timestamp, and include that data onto the form. Then have your login page
decrypt the data, and ensure that is recent enough to be considered valid.
That way you can ensure someone is using the newest version of your form,
and if someone is trying to fake you out then they can only do it for a few
hours before having to remake the fake form.
Since they can never guess what the crypted string will be, then they will
have to try and do it either manually or dynamically. If you get creative
you can stop them from doing that, but...
If you really have to be _that_ sure that a user is physically using your
form, then your application is probably too unsecure, and it's design needs
to be altered.
--
Plutarck
Should be working on something...
...but forgot what it was.
"Jochen Kaechelin" <[EMAIL PROTECTED]> wrote in message
NFBBLHGFAKNLFNPOHMPHOEKLCFAA.jk@intern">news:NFBBLHGFAKNLFNPOHMPHOEKLCFAA.jk@intern...
> Waht might be the most secure method to check,
> if a certain page was reached by submitting a form
> instead of typing the adress directly?
>
> I read, the the $HTTP_REFERER may be changed, e.g.
> when WEBWASHER or other programs are in use!
>
> Pleas help!
>
> Thanx
>
> --
> Jochen Kaechelin - Ihr WEBberater
> Stuttgarter Str.3, D-73033 Goeppingen
> Tel. 07161-92 95 94, Fax 07161-92 95 98
> http://www.wa-p.de, mailto:[EMAIL PROTECTED]
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
