Two ways i know to do something like this:

1) Use the servers superglobal http_referer and check that string for your url. This could be hoxed but it's not something everyone knows how to do BUT if a referer doesn't exist this will also fail.

Example

<?

$referer = $_SERVER['HTTP_REFERER'];

if (strstr($referer, 'www.mywebsite.com'))
{
// You may proceed!
}

?>

strstr checks for the first string inside another string, if it exists it will return true;

2) Create a random string and store it as a session variable, this is a better approach because the string can only be set on your website and can not be stored by any other means.

<?

session_start();

$_SESSION['key'] = rand(1, 100000000);

?>

I wouldn't just use numbers for the string, but that's something you could expand.

Then for the process page.

<?

session_start();

if (isset($_SESSION['key']))
{
// You may proceed!
}
?>

I hope i have helped a little.

Del

I like that random variable idea. I hadn't thought of that. Sessions are something I'll be using for the first time with my next project, and I found this 'hole' when testing my current methods for security. My next project has to be 99.9999% secure. So, using random variables and sessions should work fairly well if the form can not be submitted without this variable present. I see some obvious issues with this, but I like it none-the-less. I don't like the referrer issue.

Unless there are other ideas (perhaps something built into PHP) I suppose I'll just have to ensure that I have some crazy-good error checking to prevent database fiddling.

You could optionaly use a capha verification image to protect your form.

The ones i have wrote or worked with also use sessions so a brute force attack can not be made to these forms. That would be the better solutions to come to think of it.

I use a free script called "freecap", curtosy of puremango. It's one of the best systems out and the guy who developed it has a real good reputation and has helped other companies improve the protection of there own image verification scripts.

Good luck with your Journey!

Del

There's no way to prevent people from submitting whatever data they want to your forms. You can prevent bots from submitting stuff automatically, and sessions are good for helping with authentication, but you have to treat everything received from the user as a possible hack attempt.

Also, your forms are susceptible to SQL injection if you don't escape the content before sending it to the SQL database.

Thank you all for your assistance. I guess investing a lot of time into 'error checking' or 'hack proofing' is never a bad idea and something I should do anyhow.

you could try these threads for some thoughts too

PHP Security [webmasterworld.com]
PHP Peer Code Review [webmasterworld.com]

Combatting Webform hijack [webmasterworld.com]
SQL Injection Vulnerability [webmasterworld.com]

all good Library threads