It takes a lot more of users to tamper with POST data than with GET
Not a lot more. Simply save the slightly modified form on a webserver you have access to (hidden field) -- or better create php code that generate the form
OK, aunt Annie cant do that, but she wouldnt ever thougt about tampering with html forms ;-)
check whether the referer is from your own site, that will also make it a lot harder.
Be carefull, the refer(r)er is _not_ something reliable at all (I consider you can throw away many --20%?-- of them).
1. It can be faked (a little more difficult than simply creating custom html and using a std browser).
2. This can disallow clients from accessing your site. Because of some firewall, anonymiser, adaware-like tools, etc that remove the referer field, by example. More and more people do this to protect their privacy or for security reasons. I think this will become default behaviour in years to come. NB The referer is an OPTIONAL http field (see rfc2616)
3. It denies direct access to the page via bookmarks or typed-in uris (no referer generally sent in these cases)
As many said, just dont rely on unchecked input data: check it with a 'white list' (use regex by example).
See more info on the security chapter of php manual [1] and in the well-known www security FAQ [2]
[1] PHP: Security - Manual http://www.php.net/manual/en/security.index.php
[2] The World Wide Web Security FAQ
by Lincoln D. Stein & John N. Stewart
http://www.w3.org/Security/Faq/www-security-faq.htmlChristophe
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
