Yea... Trust nothing from the user. Code every form as if you know a hacker is coming at it. Also safe guard from URL submissions. Remember the GET method. If someone views source on your form they will see all variables that will be passed. Even if you are using host, they can mess with the URL and try submiting malious code that way.
The best ways around this are
1.) Code like registered globals is off.
http://us2.php.net/variables.external 2.) Make sure the user came from the page the form is on. See the predefined variables
http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.request Here is a function I grabed off PHP.net to make sure your forms are secure.
<?php
function form_post_check()
{
$referring_url = $_SERVER['HTTP_REFERER']; // get the referring URL
$host = $_SERVER['HTTP_HOST']; // get the header from the current request (example: www.yoursite.com)
$valid_url = 'http://'.$host.'/'; // finish defining a valid referring URL
$valid_len = strlen( $valid_url ); // get the length of the valid url
// if the valid url isn't the first part of the referring url
if ( substr( $referring_url, 0, $valid_len ) != $valid_url )
{
die( 'You submitted this form from an invalid URL.' ); // stop everything and display a message
}
}
?>Be sure to make PHP.net a favorite while learning. Thier search tool is a life saver while learning, let me tell you.
