You can check $_SERVER['REQUEST_METHOD'] to see if the data has come from POST, and check $_SERVER['HTTP_REFERER'] to see what page the data came from. However, note that the HTTP_REFERER method cannot be trusted because the following are possible:
1. User could have referers turned off (Mozilla can do this, probably a few others, plus broken web browsers/proxy servers). Mozilla had broken referers for a while. 2. Joe B Cracker can easily change what referer value is sent to the server (I can do this easy in SamSpade) NEVER trust anything that comes from the user's browser. I saw a great article the other day called "The Peon's Guide to Secure System Development" (http://m.bacarella.com/papers/secsoft/) that offers great advice: "Filter out everything *but* good data instead." You can't control what may find it's way there - just check for what should be there and if stuff isn't (or extra stuff is) you can do whatever you want from there. -Dash -----Original Message----- From: Matt Babineau [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 9:22 AM To: [EMAIL PROTECTED] Subject: [PHP-WIN] checking if is FORM is POSTED What is the best way to check if a form is posted so people can't post to my forms? I want to make sure that the post is coming from the right page and that it is indeed a post operation. Thx, Matt -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
