Hi all! I'm making an ajax application. I have one page that takes users input (Page1.php). And another page with a function in PHP that writes what the user put to the database. (Page2.php). How can i insure that ONLY Page1.php sent data to be saved to the DB. What is stopping someone just writing a html page, and posting variables from their own site, to my Page2.php I cannot use a login session -- as the user logged in, could then hack the site -- by making their own page on their server, and writing to the Page2.php Any info on this would be sweet!!! Thank you!
Pass the php session id and require it on Page2.php. They will not have access to the same id on their own server. Any form of passing a variable from Page1 to Page2 that only your server knows will solve the problem. The only way for them to manipulate that is cURL your site, and scrape the ID. Which should yield to exact same results as if using AJAX. Other than that just put the necessary securities (can't rely on javascript for any security, ever). You could require the REFERER to be Page1, but that's bad practice.