I know there's a code to do this, but don't know what it is. Could some one post an example of php code to check to make sure that the form is on for example widget.com and not on another domain, AND not from the users computer, and then spit out an error message if it's not on your domain?
Do you mean once the form is submitted? You could check the referrer, but that can be null or spoofed. Anyone surfing with referrers disabled will be out of luck. If you wanted to use the referrer it would be something like this: <?php if(!strpos($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST'])) echo "Later"; ?> PHP: You could also generate a token when a visitor first hits your form. Validate it once the form is submitted.
One approach is to just never allow the form to called directly. A valid calling page on your server would contain something along the lines of: define( '_VALID_NTNDO', 1 ); and the script which generates and deals with the form starts with: defined( '_VALID_NTNDO' ) or die( 'Restricted access' ); People should then never be able to remotely complete the form and submit it -- whether through a robot or a local copy of the form.
Like what was mentioned by wmburg, HTTP_REFERER cannot prevent Form Spoofing entirely.. Use a token instead: Your form: $mytoken = md5(uniqid(rand(), true)); $_SESSION['mytoken'] = $mytoken; echo'<form action="process.php" method="POST"> '; echo'<input type="hidden" name="token" value="<?php echo $mytoken; ?>" /> '; echo'<input type="text" name="field1" /> '; echo'<input type="submit" /> '; echo'</form>'; PHP: Check for the value of mytoken in the process.php: session_start(); if($_GET['token']!=$_SESSION['mytoken'] ) // output error message else // go ahead with the normal processing etc PHP: something like this
This wouldn't work, as the user visits the form a token is generated for that session. The form is then copyied to an offline/other server page. When the form is submited the token still exists in the users session and it will equal it when it loads. This would only provide security if the form is submited without actually visiting the page first.
This looks like it. <?php /* NOTE: referer can be blocked or spoofed */ $allowed_host = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'no referer'; $host = 'DOMAIN.com'; if ( strpos($allowed_host, $host) === false ) { echo 'This wasn\'t posted from your domain,<br /> or there was no referrer set.!'; } PHP: It's for a online game and players can view the HTML, save it to a text file, edit for example the HP of who they fight to 1. Save the file and open it with the browser and bam, when you attack, the server thinks the enemy really does have one HP. Forcing them to use the form on the domain. I'm guessing most players wouldn't know how to block or spoof it. I'm just a player of the game and discovered the bug myself!! Of course I let the admin know and gave him this code to try.
Yes, this will work as long as the browser is sending the HTTP_REFERER. Unfortunately, alot of the Anivirus software either removes or changes what is being sent from this data. I think this option can be globally turned off in the browser as well. Just require the user to not have manipulated the REFERER to play and you have no problems! If they dont want to do that, then they can find another game to play, eh ?
something else you may want to be aware of is HTTP Referrer Choosers - I know of people using things like "RefControl" for FireFox - you can choose what to send as a normal referrer, and you can choose custom ones for certain sites I think, im not sure, i havnt used it... so relying on http referrers to be sent is a bit of a risk if it's important to you..
I agree completely. It was what I was warning about before. I'm sure something can be figured out though.