I have a registeration page where people register to my site and I add them to the database. Now I know it's possible for people to simple go to "File\Save As". download the html version, put in whatever info they want and change the <form action path to the FULL URL which would submit it to my page with their custom information. Even though I use htmlspecialchars in order to prevent SQL injection. Is there an easier way to make sure that only pages from that domain can submit a form?


the onnly way I thought of doing it is using $_SERVER['HTTP_REFERER']; and looking at it to see if it contains my server's IP or domain name.. and if not then don't let them register and track their IP.

this seemed to work when i tested it but then today when i looked i saw around 54 IP addresses there.. around 17 unique ones.. some were googlebots but others were just normal IPs.. i know they cant ALL be trying to register with a custom page. SO whats an easier way to accomplish this?

thanks a lot

Is this automatically added to your database or are you manually adding after they submit?

Below is what I have for security in my PHP mailform code. I also make sure to name my form PHP file something that is not common, like gtysmr.php

// for ultimate security, use this instead of using the form
$recipient = "whatever@yourdomain.com"; // youremail@domain.com

// referers.. domains/ips that you will allow forms to
// reside on.
$referers = array ('yourdomain.com','www.yourdomain.com','000.IP.000 .000');

it's automatically added. For example i have a form like this:

register.php:

<form action="register.php?finished=1" method="post">
all the input boxes and submit button goes here
</form>

At the top of register.php i check to see if finished=1 and if it is then I add the user to the database.



now if a user loads register.php and see the page, they can go to their browser and save the page on their HD. They'll get the html version. Put custom information in. For example i have several radio buttons and lists in the registeration page. They can put random values for the radio button which would make the database inconsistent.. so then they would edit the form to this

<form action="http://www.mydomain.com/register.php?finished=1" method="post">
all the input boxes and submit button goes here
</form>

the form gets submmited and the user is registered. BUt with custom information.

I want to be able to only accept form submission if the page reffering it was from my own domain.

What you should be doing is passing a server side variable from the form to the register.php file. If the variable exists…then add the form results...if it don't exist then ignore the submission....plus the submission won't work because its not on the same server.

What you should be doing is passing a server side variable from the form to the register.php file. If the variable exists…then add the form results...if it don't exist then ignore the submission....plus the submission won't work because its not on the same server.

i dont think that will work.. Cause in order to create the server side variable, i would have to put itin register.php... so in order for them to download the html version of it, they have to go to it first which means it would create the variable for them..

i dont think that will work.. Cause in order to create the server side variable, i would have to put itin register.php... so in order for them to download the html version of it, they have to go to it first which means it would create the variable for them..

you could change the "form" page to a php page?

or...an easier way...would be to put in register.php a check to see if the referral page is coming from:

www.domain.ext/htmlform.htm OR domain.ext/htmlform.htm

...or you could just check to see if its coming from your own domain by checking the HTTP_HOST var.