{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 戒情不戒烟 的问题《Check if form is called from correct page》','https://www.manongdao.com/q-750838.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
On page1.php I have a form which sends vars via POST to page2.php. However, I only want to process the form if it is called from page1.php.
How do I check for this?
Kind regards!
EDIT: It's a kind of security measure. If i'm a hacker and I copy the form code from the source of the page and run it, I can change crucial vars.
EDIT2:
Ok here is the actual problem:
Users can edit credit to their account. They can choose values from 5EUR to 50EUR.
Eventually they come on a page 'deposit.php' where the final form is sent to a page 'payments.php' which then sends the var to Paypal.
Deposit.php:
<form class="paypal" action="paypal/payments.php" method="post" id="paypal_form" target="_blank">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="lc" value="BE" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="item_number" value="50" / >
<input type="hidden" name="price" value="47.50" / >
<input type="submit" class="uibutton " value="Betaal met Paypal" style="width: 100%; font-size:120%;">
(BTW they get a discount if they add 50EUR)
I think Adam D response is too weak (Anyone can change that just using firebug). what you want to prevent is users to skip some step or avoid XSRF.
In that case I would say use sessions.
Well, first of all you have to understand that there is no security measure the way you put it. And, of course, no method provided by other participants can protect your "crucial vars". They were actually answering other question, one is more familiar to them.
Forms are intended to be filled by client party. So, you can't expect whatever variable be untouched. Everything coming from the client side can be spoofed, no matter what measures you took.
So, whatever "crucial vars" should remain on the server.
While all the data coming from the form should be considered unsafe and treated accordingly.
There's no reason to overcomplicate it, there's a global variable in PHP which tell's you the url your current script was requested from:
In your form, include a hidden field that you then check for on
page2.php. See below:Then, on the top of
page2.php, check that the hidden variable is set, and if not, redirect back topage1.phpDepending on the application, you could use
$_SERVER['HTTP_REFERER']and do a check but the problem with it is that not all browsers send it, and it is modifiable by the user. So if this is just for a few people that you know it probably won't be a problem. If this is for the world it isn't recommended.What I usually do is set a session on page 1, then check for that session on page 2. Every time page 1 loads you need to reset the session.
page1.php
page2.php