not all browsers support the referrer or some people use software to block
that,
so that method is unreliable... the only way to do this is with a token.
that is time
sensitive from the database, even then there is no method that is hackproof.
Rick
At 03:41 PM 3/22/01 +0000, Jon Haworth wrote:
> > > You could have a check for the HTTP_REFERER variable, if it doesn't
> > > contain "application.php", chances are they didn't come from that page.
>
> > it's not a good idea to rely on $HTTP_REFERER for anything, and especially
> > for this. a referer is only reported when the user follows a hyperlink, so
> > in the hypothetical case given there would be no referer.
>
>Isn't that the point? If there's no referer, they didn't come from the first
>page, so you send them back there. I could be completely wrong here - is
>HTTP_REFERER empty following a form submission, even if it's to a different
>page?
>
> > what you need to do is combine your two scripts, which is really a neater
> > way handling forms anyway. point your form action to the same page
> > ($PHP_SELF works really well for this, since you can rename the file and
> > it will still run properly), and then add the following code to the top
> > of your application.php file
> >
> > if($GLOBALS["REQUEST_METHOD"] == "POST") {
> >
> > include("process_application.php");
> >
> > exit;
> >
> > }
>
>This is how I would handle it personally, but then he'd mentioned having two
>pages, so......
>
>Cheers
>Jon
>
>
>**********************************************************************
>'The information included in this Email is of a confidential nature and is
>intended only for the addressee. If you are not the intended addressee,
>any disclosure, copying or distribution by you is prohibited and may be
>unlawful. Disclosure to any party other than the addressee, whether
>inadvertent or otherwise is not intended to waive privilege or
>confidentiality'
>
>**********************************************************************
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
##########################################################
# Rick St Jean,
# [EMAIL PROTECTED]
# President of Design Shark,
# http://www.designshark.com/
# Quick Contact: http://www.designshark.com/messaging.ihtml
# Tel: 905-684-2952
##########################################################
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
