I have page.php which receives POST data, it's located in a known position. How can I obtain the url of each page that sends data to page.php via POST, or how can I block/allow POST data from certain sites?
You can (although not reliably) get the URL of the referring page via $_SERVER['HTTP_REFERER']. There are, however, a number of situations where this will be blank (most commonly when coming from an HTTPS site).
The only reliable way to limit which sites can cause a browser to submit data to your script which will be accepted is to implement protection against CSRF and stop all sites that are not your site.
Generate a random token. Store that token in a cookie or session. Store it in a hidden input in the form. When the form is submitted, check if the token in the form matches the token in the cookie/session. If it doesn't, then the form that submitted the data was not on your site.
I use PayPal IPN, so I need to check if POST comes from PayPal
You're trying to solve this problem the wrong way.
Read Paypal's IPN documentation. They provide a means to determine if the event came from them or not.
- PayPal HTTP POSTs your listener an IPN message that notifies you of an event.
- Your listener returns an empty HTTP 200 response to PayPal.
- Your listener HTTP POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
- PayPal sends a single word back - either VERIFIED (if the message matches the original) or INVALID (if the message does not match the original).
You can verify the form is from a certain page by doing something like this:
In your form add a random hidden value, and save the value to the session along with a page:
<?php
session_start();
$_SESSION['csfr_token'] = $randomValue; // Randomly generated string
$_SESSION['csfr_page_url'] = ; // URL of the current page
?>
<input type="hidden" name="csfr_token" value="<?php echo $randomValue; ?>" />
The above obviously only applies if you are using a form, if not then add the csfr_token to the post using whatever method you are using.
Then on your page that manages the post:
<?php
session_start();
if (isset($_SESSION['csfr_token']) && $_POST['csfr_token'] && $_SESSION['csfr_page_url'] && $_SESSION['csfr_token'] === $_POST['csfr_token'] && $_SESSION['csfr_page_url'] === 'the URL that you want to allow') {
// Do your stuff
} else {
// Post isnt valid
}
Update:
I think the following question is related: Verifying a Paypal transaction via POST information