[dt17]

Hi guys, I am working on a little system for personal use.

I have a "Delete Entry" feature, and when the user select to delete an entry, it takes them to a confirm page (confirmDeleteEntry.php) before that is posted to (deleteEntry.php).

My problem is, I would like to make sure that if someone ends up on deleteEntry.php, they came from confirmDeleteEntry.php.

Is there anyway to check this?

[irn3rd]

I think your looking to use the isset function in php?

the button on your confirmDeleteEntry.php, lets say its called submitted.

<?php
   if(isset($_POST['Submitted'])){
      /*if the user comes to the page correctly execute this code*/
   }else{
     echo'you have come to this page incorrectly!';
     /*any other code you wish to use*/
}

?>

simple if statement is all you need my dear friend
This cold will excute what you want only if the page is accessed via a button click on a form otherwise it wont work. There is most probably another way to do it as well, but this is the way i use, but i suggest changing the name of your form button.

[dt17]

Lol didn't even think about that, I'm already running that check... gah I'm so stupid :[

Thanks irnerd :]

[irn3rd]

dt17, on 01 August 2009 - 03:59 PM, said:

Lol didn't even think about that, I'm already running that check... gah I'm so stupid :[

Thanks irnerd :]

It's okay, happy to help

[ElanMan]

Checking for a form field(isset) won't stop somebody from manually submitting the form, from their own pc for example.
You can check the referrer via $_SERVER['HTTP_REFERER'] but this can easily be spoofed.
I presume the form is in a password protected page. Obviously that's your first step.
You could then use regenerate_session_id() once the user is logged in and also check the user agent. Both attempt to stop 'session fixation'.

[irn3rd]

ElanMan, on 01 August 2009 - 10:06 PM, said:

Checking for a form field(isset) won't stop somebody from manually submitting the form, from their own pc for example.
You can check the referrer via $_SERVER['HTTP_REFERER'] but this can easily be spoofed.
I presume the form is in a password protected page. Obviously that's your first step.
You could then use regenerate_session_id() once the user is logged in and also check the user agent. Both attempt to stop 'session fixation'.

That is true, is there a more secure way of processing a page script?

Would it be best to mix a login session with this form button submitted check?

What your thoughts on it?

[ElanMan]

There's an old but still very useful guide here.
Definitely worth a read.

[irn3rd]

Thanks for the read, ill have a read

[skidz]

I add an encrypted key to my form with a session var and check on process, stops all/any spam when combined with the other checks i perform!