Newgrounds.com — Everything, By Everyone.

Hey guys!
I'm trying to make a simple crediting system, and I was wondering if there is a way to secure a post parameter. I know that if I use GET it would be harder for exploiters to trick the system, but I'm just trying to keep it simple for now (until I get the time to convert everything). Is there a way to make it so a php page can track where the form post came from? Example: If $_POST['this data']; came from test.php Then continue.

You can probably use the $_SERVER superglobal, specifically with 'HTTP_REFERER'.

//This variable will be the last page address
$lastPage = $_SERVER['HTTP_REFERER'];

//Use a condition to check the last page against the allowed page
if($lastPage != 'http://example.com/page.php') {
//False
}

You can probably easily break down the previous address so that you can have only the page name (just 'page.php').

Something like this:

<?
//Variable containing last page address
$lastPage = $_SERVER['HTTP_REFERER'];

//Split, or 'explode', the address into pieces every time there is a slash (/)
$ad_array = explode('/',$lastPage);

//Reverse the array so that the first value is whatever is past the last slash
$ad_array = array_reverse($ad_array);

//This variable SHOULD contain the page name of the last address (page.php, etc)
$pageName = $ad_array[0];

//Condition to check the last page name against what you want it to be
if($pageName != 'page.php') {
//False
}
?>

I didn't test this, it's just a guess, but I'm sure it will work.

You can experiment a bit more with that. More information on $_SERVER here:
http://us.php.net/reserved.variables.ser ver

Thank you so much Thomas! This is going to help tremendously.

Also, I might as well post my other problem in here too:

$q = mysql_query("UPDATE `alerts` SET notice = $notice WHERE notice != $currentNotice")
 or die(mysql_error());

I'm getting an error in my sql syntax, this is probably clear but can anyone spread some light? :P sorry.

$q = mysql_query("UPDATE `alerts` SET notice = $notice WHERE notice != $currentNotice")
 or die(mysql_error());

Well it's already obvious, you can't do 'WHERE obj != $var'.

If you are trying to update notices (I'm assuming after a form), then just do this:

mysql_query('UPDATE myTable SET col=\''.$var.'');

That should just update every 'notice' to '$currentNotice'. Most likely not the most efficient way, but it would work.

It would also help if you could make your goal a bit more clear. My thoughts on your question could be wrong :)

At 4/28/09 12:38 AM, Thomas wrote: $q = mysql_query("UPDATE `alerts` SET notice = $notice WHERE notice != $currentNotice")
or die(mysql_error());

Well it's already obvious, you can't do 'WHERE obj != $var'.

You can't?

At 4/28/09 01:01 AM, DFox wrote:

At 4/28/09 12:38 AM, Thomas wrote: $q = mysql_query("UPDATE `alerts` SET notice = $notice WHERE notice != $currentNotice")
or die(mysql_error());

Well it's already obvious, you can't do 'WHERE obj != $var'.

You can't?

You tell me. I assume not, but then again, I myself am pretty new to MySql.

if notice is a string value then whatever value you set it to needs to be wrapped in single quotes

notice = '$notice'

If notice is a string then his problems begin with poor database structuring...

But, if it's a number like his query suggests, then yes, a_field != $a_NUMBER_variable is perfectly valid.

Anything (or at least the majority of) the $_SERVER superglobal comes from the clients request, therefore its easy for a user to change their referrer value (meaning it's not secure).

There are other options, but it depends on how secure it needs to be. What exactly are you trying to do?

At 4/27/09 09:13 PM, Gateau wrote: I know that if I use GET it would be harder for exploiters to trick the system

You've got that backwards, GET is much less insecure than POST.

At 4/28/09 03:45 AM, yhar wrote:

At 4/27/09 09:13 PM, Gateau wrote: I know that if I use GET it would be harder for exploiters to trick the system

You've got that backwards, GET is much less insecure than POST.

There both equally "insecure" because you would never use either for something that couldn't be modified by the user.

For his problem it would be the easiest (and most secure) to just use sessions, tho depending on the rest of the setup it might be better to change the entire way it works :p

At 4/28/09 05:52 AM, DearonElensar wrote: For his problem it would be the easiest (and most secure) to just use sessions, tho depending on the rest of the setup it might be better to change the entire way it works :p

I'm currently using session variables (for things like user accounts and other data), however I need a way to insert data into a database for specific admin functions (i.e making a notice). The admin accounts are able to access forms that users cannot, however they should be able to post that form to insert the data. Currently the form posts to a separate directory where all of the admin-related scripts are hosted, which is why I initially wanted the script to only accept data from specific pages.

Thank you all for your assistance and opinions with these minor problems; it's a relief for me to know that this board is such a reliable resource! For someone who is learning independently, communities such as this one are essential for minor tips to avoid similar problems in the future. All of your help is much appreciated, thank you for all of your input :).