Advanced Search

Return to Snippet

Revision: 11040
at January 21, 2009 13:20 by luizlopes
Initial Code 
if ($_SERVER['REQUEST_METHOD'] == 'POST') // or possibly,  count($_POST) > 0
{
    $host = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);

    if ($host AND $_SERVER['HTTP_REFERER'])
    {
        $refparts = @parse_url($_SERVER['HTTP_REFERER']);
        $refhost  = $refparts['host'] . ((int)$refparts['port'] ? ':' . (int)$refparts['port'] : '');

        if (strpos($refhost, $host) === false)
        {
            die('POST requests are not permitted from "foreign" domains.');
        }
    }
}
Initial URL 
http://www.namepros.com/2996502-post8.html
Initial Description 
[quote]$_SERVER['HTTP_REFERRER']'s problem is that can be spoofed, but it's better than nothing if you really want that.[/quote]
Initial Title 
Prevent Remote Form Submit
Initial Tags 
form, post, security
Initial Language 
PHP