This question already has an answer here:
I have a website that has 2 .php files in it. One is user.php & two is success.php.
In the user.php, I have an HTML form with textarea and an input submit button. The action of the form is success.php (Demo of the user.php: jsfiddle.net/SS33s)
And here is the success.php code: jsfiddle.net/bL2u5/
What I need is a PHP code to put inside the success.php page to NOT allow forms that were submitted from any other website EXCEPT my website (Mywebsite.com) and to show something like: "There was an error completing your request, please go to mywebsite.com." for the people who submitted the form on OTHER websites than mine.
The thing is that Google Analytics has tracked some people that have an HTML form that has the action="http://mywebsite.com/success.php", which I don't want that, I want MY users to only access the success.php page.
Please excuse my English. English is not my first language and I am trying to explain my problem as clear as possible. Thank you :)
</div>
Read about Cross-site request forgery CSRF
add this code in the top of your php page:
if ($_SERVER['HTTP_REFERER']!="http://localhost/user.php"){ //replace with the past url
die();
}
else{
//the code to execute
}
if you want check this out CSRF (Cross-site request forgery) attack example and prevention in PHP
Well, a good server should prevent _POST attacks automatically, at least mine does. However, server cannot detect userscript attacks.
So there is a little trick for that. This trick also makes spiderbots life a little harder, because form data is different and has to be manually copied from the source.
This solution works with $_SESSION (read more).
This is the class.form_session.php example:
<?
// First we have to start the sessions all together
session_start();
// This wraps the functions neetly into a class
class FormSession {
// This function creates the form session
function create_form_session () {
$hash = md5('SomeRandomStringToMakeTheHashImpossible' . time());
return $_SESSION['form_session'] = $hash;
}
// This form simply returns the current form session
function current_form_session () {
return $_SESSION['form_session'];
}
// This function kills/deletes/unsets the form session
function destroy_form_session () {
unset($_SESSION['form_session']);
}
}
// Lets start the class and make it usable
$fs = new FormSession;
This is the user.php example:
<?
// Include START - If you are gonna use this trick cross-server, include this part to the top of each file (that use this method ofc)
require('class.form_session.php');
// Include END
// Lets create a new form session
$form_session = $fs->create_form_session();
// Lets generate a very simple form
print '<form method="post" action="test2.php">
<input type="text" name="' . $form_session . '_username" value="" placeholder="Username" /><br />
<input type="password" name="' . $form_session . '_password" value="" placeholder="Password" /><br />
<input type="submit" name="' . $form_session . '_submittrigger" value="Submit this!" />
</form>';
This is the success.php example:
<?
// Include START - If you are gonna use this trick cross-server, include this part to the top of each file (that use this method ofc)
require('class.form_session.php');
// Include END
// This catches the submit, this could also be in another file
if ($_POST[$fs->current_form_session() . '_submittrigger']) {
// Success!
echo '<pre>'; print_r($_POST); echo '</pre>';
// Now lets delete the session
$fs->destroy_form_session();
}
As you can see, this works in one file. Which is the way I personally like the submits to be, however if you include the top session related part to your success.php, then it should work fine.