Welcome to WebmasterWorld Guest from 3.84.243.246

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

A way to prevent off-site form submissions?

     
4:41 am on Oct 17, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:May 1, 2005
posts:108
votes: 0


Hello. I don't know if it's possible, but I want to block form submissions that come from anywhere other than my own website.

For example, let's say I have this form:

<form action='http://site.com/somepage' method='post'>
<input type='hidden' name='num' value='123' />
<input type='submit' name='post' value='Go'/>
</form>

Currently, someone can just copy this form to their desktop, open it in notepad, change the "123" to "789", then submit it.

Is there a way to block off-site submissions with htaccess (or anything else)?

Thanks.
12:15 pm on Oct 17, 2010 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11567
votes: 182


you can do this by testing the HTTP_REFERER and REQUEST_METHOD server variables and returning a 403 Forbidden status code response if you don't like what you see.

Block unauthorized form posts:
http://www.webmasterworld.com/forum92/1147.htm#msg1521479 [webmasterworld.com]
6:00 pm on Oct 17, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


HTTP Referrers are unreliable; They can be spoofed, and they can be suppressed by caching proxies used in corporate and ISP networks. Therefore, the Referer header will be missing a good deal of the time, leaving you with insufficient information to make a decision. Further, a submission 'bot could copy one of your valid page URLs and use it to spoof a valid referrer.

As with anti-hotlinking, a better method is to set a cookie on an "authorizing" page --say the one with the form on it-- and then check that cookie before actually accepting the form submission. Further, it would be advisable to check that the visitor's browser is configured to accept cookies prior to presenting the form, and if not, inform him/her that a acceptance of a short-lived or session cookie is required.

Then if a form is submitted with no cookie, you can simply pretend to accept it, and discard the submission.

Cookies can be checked using mod_rewrite or server-side scripting on any Apache version. Cookies can be set using mod_rewrite on Apache 2 or later, or with a script on any Apache version.

Jim
5:27 am on Oct 18, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:May 1, 2005
posts:108
votes: 0


Thank you both very much, that was extremely helpful.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members