SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict scoobasteve1982's Avatar
    Join Date
    Apr 2007
    Posts
    333
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    validate form submission is from host

    So I've written this function to parse out the domain from a referring submission. I don't want people posting my form from different domains. I know I could use a regex but I don't particularly enjoy them so I do it the long way. Just wanted to know your thoughts if you have any. Is this efficient enough? Thanks.

    PHP Code:

    // Returns: boolean
    // Validates that a user is submitting from an alloted array of domains
    function validateSubmission() {
        
    $domains = array("SOMEDOMAIN.COM");  // add allowed domains here. MUST BE ALL UPPERCASE.
        // Get the referring domain
        
    $domainPos1 substr($_SERVER['HTTP_REFERER'],strpos($_SERVER['HTTP_REFERER'],"//")+2);
        
    $domain substr($domainPos1,0,strpos($domainPos1,"/"));
        echo 
    $domain;
        if (
    in_array(strtoupper($domain),$domains)) {
            return 
    true;
        } else {
            return 
    false;
        }


  2. #2
    SitePoint Enthusiast
    Join Date
    Jan 2006
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The problem is that referrer is not guaranteed to be sent. It's not 100% reliable because it's not mandatory in the HTTP standard. In France, for example, some ISPs strip referrer from headers.

    What you may want to do is create a unique key on your form. Put that key into a hidden field in the form and also into the user's session. When the POST comes in check that the key in the form matches the key in the session.

    The Drupal CMS uses this technique to prevent cross-site scripting attacks.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2006
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry to double-post, but just to clarify, I mean a unique key for every time the form is generated for a user. Not a re-used key.

  4. #4
    SitePoint Addict scoobasteve1982's Avatar
    Join Date
    Apr 2007
    Posts
    333
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    thanks

    Thanks! I figured I could do it that way but I was looking for a more reusable approach but maybe that's the only quick way to do it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •