检查是否从正确的页面调用表格 [英] Check if form is called from correct page
问题描述
在page1.php上,我有一个表单,该表单通过POST发送var到page2.php. 但是,我只想处理从page1.php调用的表单.
On page1.php I have a form which sends vars via POST to page2.php. However, I only want to process the form if it is called from page1.php.
我该如何检查?
亲切的问候!
这是一种安全措施.如果我是黑客,并且可以从页面源代码中复制表单代码并运行它,则可以更改重要的变量.
It's a kind of security measure. If i'm a hacker and I copy the form code from the source of the page and run it, I can change crucial vars.
好的,这是实际的问题:
用户可以编辑其帐户的贷方.他们可以选择5欧元到50欧元之间的值.
最终,他们进入页面"deposit.php",将最终形式发送到页面"payments.php",然后将变量发送到Paypal.
Deposit.php:
Ok here is the actual problem:
Users can edit credit to their account. They can choose values from 5EUR to 50EUR.
Eventually they come on a page 'deposit.php' where the final form is sent to a page 'payments.php' which then sends the var to Paypal.
Deposit.php:
<form class="paypal" action="paypal/payments.php" method="post" id="paypal_form" target="_blank">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="lc" value="BE" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="item_number" value="50" / >
<input type="hidden" name="price" value="47.50" / >
<input type="submit" class="uibutton " value="Betaal met Paypal" style="width: 100%; font-size:120%;">
(顺便说一句,如果他们增加50欧元,他们将获得折扣)
(BTW they get a discount if they add 50EUR)
推荐答案
首先,您必须了解没有安全措施. 而且,当然,其他参与者提供的任何方法都不能保护您的关键变量" .他们实际上是在回答其他问题,这是他们更熟悉的一个问题.
Well, first of all you have to understand that there is no security measure the way you put it. And, of course, no method provided by other participants can protect your "crucial vars". They were actually answering other question, one is more familiar to them.
表格应由客户方填写.因此,您不能指望任何变量都不会改变.不管您采取了什么措施,来自客户端的一切都可能受到欺骗.
Forms are intended to be filled by client party. So, you can't expect whatever variable be untouched. Everything coming from the client side can be spoofed, no matter what measures you took.
因此,无论什么关键变量"都应该保留在服务器上.
来自表单的所有数据均应被视为不安全并应进行相应处理.
So, whatever "crucial vars" should remain on the server.
While all the data coming from the form should be considered unsafe and treated accordingly.
这篇关于检查是否从正确的页面调用表格的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
