Tutorial :How to know where a form came from?


I was wondering is there a way in PHP that you could tell where a form was submitted without using hidden fields or anything of the like where the user would only need to tamper with the html a little? For example i am trying to work out if a form that was submitted was actually on my website or whether the form was saved offline and submitted that way.


An hidden field is not easily spoofed if it contains a UID (if you encrypt a time stamp you will be able to tell how long the user has been on the page)

Of course the user can enter whatever he wants in the field, but unless he can generate a valid UID, he can't make your php script believe it came from somewhere else.

You can also track a user's visited pages through $_SESSION and use that instead of the HTTP referrer (store each visited page in an array inside $_SESSION, and when your script is called, you simply check whether the last page was yours? Variation of that are possible depending on what you need).


You can attempt to use the referral header set in HTTP requests, do note however that not all browsers set these correctly, or users have them turned off, or that they are very easily spoofed.

Without a hidden field containing an unique identifier that is used to identify the form for that one single submission there is no good way of identifying whether the form is being forged or not.


I could be wrong but wouldn't the referrer header tell you this?


This gets you what you are after:

$referer = ($SERVER["HTTP REFERER"] == null);  

This actually fetches it from the HTTP Header where it looks like this:

...  Referer: http://foobar.com/page.php  ...  

It is easy for anyone to spoof this but for most purposes it is reasonable.

Trivia: Referer should actually be spelt referrer which is the correct spelling but the spelling mistake made its way into the HTTP specification and has stuck since.


You can't really tell. Why would it matter? If you're trying to detect if someone has forged a request, you can't.

Amended: The green solution above does help some issues, but it doesn't address the question of if it came from your site, or if it was modified.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »