Prevent Remote Form Submit - PHP Snipplr Social Repository

Revision: 11040

at January 21, 2009 13:20 by luizlopes

Initial Code

if ($_SERVER['REQUEST_METHOD'] == 'POST') // or possibly,  count($_POST) > 0
{
    $host = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);

    if ($host AND $_SERVER['HTTP_REFERER'])
    {
        $refparts = @parse_url($_SERVER['HTTP_REFERER']);
        $refhost  = $refparts['host'] . ((int)$refparts['port'] ? ':' . (int)$refparts['port'] : '');

        if (strpos($refhost, $host) === false)
        {
            die('POST requests are not permitted from "foreign" domains.');
        }
    }
}

Initial URL

http://www.namepros.com/2996502-post8.html

Initial Description

[quote]$_SERVER['HTTP_REFERRER']'s problem is that can be spoofed, but it's better than nothing if you really want that.[/quote]

Initial Title

Prevent Remote Form Submit

Initial Tags

form, post, security

Initial Language

PHP

Choose a language for easy browsing: