I have simple form
<form name="blabla" action="path.php" >bla bla bla </form>
and path to form action is visible of course but how can I protect to other form can access to my form action, from another web server.
Because someone inserted a new record in my database using this form action from another location.
How can I protect that?
I would suggest making sure (somehow) that the post is coming from your website.
Use cookies, sessions, or some other method to make sure of it (like checking the page referrer [which is not always reliable])
Use sessions - in your form page generate a random value, and put that value into a hidden field and save it in $_SESSION, then on form submission check that the value in the form matches that in the session data. This also helps against CSRF (though not fully)
You can also use the $_SERVER['HTTP_REFERER'] value. It is not a required header, and some browsers will not send it under perfectly valid usage (and it is easily spoofed by malicious users), so its not totally fool-proof.
You could test the http host header, which is set in the following PHP superglobal...
$_SERVER['HTTP_HOST'];
...but headers can be forged on the client.
What you are really after is cross-site request forgery protection, which usually involves injecting a security token into the form data, which is then compared to the token you store for the user on the server (e.g. session data).
Symfony2's excellent forms api does this for you for free, there are also libraries for doing this, or you can just roll your own. Whatever suits.
http://www.serversidemagazine.com/php/php-security-measures-against-csrf-attacks/
I usualy add a $token value like what this Guide mentiones.
EG:
<?php #your validator
start_session();
if(isset($_POST['foo']...isset($_POST['bar']){#Required Sent Values
if(isset($_SESSION['token']) && $_POST['token'] === $_SESSION['token']){#Check Token
#Check If Things Are Valid
}else{
#Error
}
}
?>
<?php #Your form page
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
?>
<form action="">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
</form>