On page1.php I have a form which sends vars via POST to page2.php. However, I only want to process the form if it is called from page1.php.

How do I check for this?

Kind regards!

EDIT: It's a kind of security measure. If i'm a hacker and I copy the form code from the source of the page and run it, I can change crucial vars.

EDIT2:
Ok here is the actual problem:
Users can edit credit to their account. They can choose values from 5EUR to 50EUR.
Eventually they come on a page 'deposit.php' where the final form is sent to a page 'payments.php' which then sends the var to Paypal.

Deposit.php:

<form class="paypal" action="paypal/payments.php" method="post" id="paypal_form" target="_blank">    
<input type="hidden" name="cmd" value="_xclick" /> 
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="lc" value="BE" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="item_number" value="50" / >
<input type="hidden" name="price" value="47.50" / >
<input type="submit" class="uibutton " value="Betaal met Paypal" style="width: 100%; font-size:120%;">

(BTW they get a discount if they add 50EUR)

Well, first of all you have to understand that there is no security measure the way you put it. And, of course, no method provided by other participants can protect your "crucial vars". They were actually answering other question, one is more familiar to them.

Forms are intended to be filled by client party. So, you can't expect whatever variable be untouched. Everything coming from the client side can be spoofed, no matter what measures you took.

So, whatever "crucial vars" should remain on the server.
While all the data coming from the form should be considered unsafe and treated accordingly.

Depending on the application, you could use $_SERVER['HTTP_REFERER'] and do a check but the problem with it is that not all browsers send it, and it is modifiable by the user. So if this is just for a few people that you know it probably won't be a problem. If this is for the world it isn't recommended.

What I usually do is set a session on page 1, then check for that session on page 2. Every time page 1 loads you need to reset the session.

page1.php

<?php
session_start();
$hash = $_SESSION['hash'] = md5(time().rand(0,100));
?>
<form action="page2.php" meethod="post">
    <input type="hidden" name="h" value="<?php echo $hash; ?>" />
    Your Name: <input type="text" name="name" />
</form>

page2.php

<?php
session_start();
if($_SESSION['hash'] != $_POST['h']){
    header("Location: page1.php");
    exit;
}

// process data

I think Adam D response is too weak (Anyone can change that just using firebug). what you want to prevent is users to skip some step or avoid XSRF.

In that case I would say use sessions.

• Create a session
• Save the current step
• Retrieve and validate the current step and halt or continue according to the value

In your form, include a hidden field that you then check for on page2.php. See below:

<form action="post.php" method="POST">
  <input type="text" name="fname" id="fname" />
  <input type="hidden" name="cameFromPageOne" value="true" />
</form>

Then, on the top of page2.php, check that the hidden variable is set, and if not, redirect back to page1.php

<?php

if(!isset($_POST['cameFromPageOne']) || $_POST['cameFromPageOne'] != 'true') {
  header('location: http://www.example.com/page1.php');
  exit();
} else {
    // ... code to process if they DID come from page1.php
}

?>

There's no reason to overcomplicate it, there's a global variable in PHP which tell's you the url your current script was requested from:

echo $_SERVER["HTTP_REFERER"];