I'm just wondering how you go about preventing people trying to fool your script & POST'ing a similar looking form from a remote site.. say开发者_如何学JAVA for example to try & put in extra values into select fields you don't have in yours or something of that nature.
To prevent Cross-Site Request Forgery (CSRF), you should use a so called CSRF token that verifies the authenticity of the request. Additionally, you can check the HTTP Referer and only allow the transaction if it’s empty (not existing) or one of your addresses.
See also OWASP’s Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for further information.
The best idea would be to create a md5 key generated from the user agent, ip and a time frame. Then store that in a database and populate it in a hidden text field so on submit you can revalidate the value.
You can also use $_SERVER['HTTP_REFERER'] to get were the request came from and validate it against the url of your site. Remember this is set by the user web browser so it can be spoofed. Here is a list of available $_SERVER variables and their descriptions. http://www.php.net/manual/en/reserved.variables.server.php
精彩评论