Easy way to add commas to items in string greater than one

What is the easiest way to make sure that form data is only being submitted from the server so someone cannot send post values to my .php scripts. I’m using AJAX to send post data in the background.

Disregard the title, it wont let me edit it :frowning:

One technique is to add a hidden value to the data. This is where you save a random key to the server session and to the hidden form field, then when the form is submitted to check if the two match.

There are still likely to be ways around that though, so really we need to learn from you more information about the problem you are trying to solve.

I’ve thought about creating a random value in a session and having the form look for it over the hidden input value since a user can see the hidden form field or the name the form will look for.

I’m basically having jQuery send the information to a seperate .php script and then the PHP script returns a response (can be JSON or not) and if all the values match and the MySQL insert happened, the javascript gets a message about it being complete.

But the issue with that is if i send it via jquery they will know my post values anyways if i use hidden. Also if i have a session set in my main page, would have to have the .php script have a start_session() value to be able to use it right?

(Side question: Does an AJAX call conserve session data if the called page starts with session_start?)

But the file your AJAX form is calling can look for things too. Store the session ID in a database with a timestamp, and then use the hidden form field to pass the session ID… if the session ID doesnt exist or the timestamp is expired… reject the data. (IE: Pseudo-Session)

It’s not perfect, but it’s a step in the right direction?

An ajax request can send/receive and store cookies, so they work the same as far as sessions go. Yes you would need to call session_start() in the receiveAjaxPost.php script

What is the purpose of all of this though? Are you trying to protect against a cross site request forgery(csrf)? Or are you just trying to make it more difficult for automated submissions?
Are these values specific/related to the user(what are they)?
How critical is it?