Ensuring Form Action Location

Hi All,

In a personal project of mine, I've been using $_SERVER['HTTP_REFERER'] to tell me where the form was coming from. After glancing through the manual I was reminded that that variable is based on the user agent and cannot really be trusted.

What method would you guys recommend in ensuring that the form submission occurred on my site and telling me what page the form submission occurred on?

Thanks for any advice!

There really is no way to ensure that the form submission does actually occur on your website, it is the same reason why websites have problems with spam bots trying to post. The way many sites get around this is by using a CAPTCHA to ensure that they are visiting your site and they have to type in the special code. Still even with that some bots are smart enough to read the CAPTCHA text, but usually its enough to ensure most are not bots.

You are right in the fact you cannot trust the HTTP_REFERER variable either, that is easily modified by the user agent and bots have no issues sending fake referrers.

If I were you I would suggest using hidden post variables and then check those variables to make sure they match. Possibly make the variables dynamic in the sense that a robot cannot guess what it is, but you can verify them after a form is submitted. That would be probably enough to make sure they are loading from your site, but again its never 100% as bots could get around this and then load the form on another website if they really wanted -- but for your situation it would probably work 99% of the time or more. Just keep in mind if someone was really determined to load your form on another website and submit from there, they could find ways to do that if they are smart enough no matter what method you are using. All you can do is deter them from doing it by making it really complicated.