0

I want to implement a system where I want to know where a POST request cam from.

For example: I have a form with a submit button in it. When the User clicks on the submit button it goes to the page. But I want to know the source from where the post request came.

This is the code till now:

<form action="profile.php?id=<?php echo $user->id; ?>" method="post" name="formAdd"><input name="btnAddUser" type="submit" value="Add User"></form>

Should I use a hidden input element? Would that be a good way OR maybe something else?

laurent
  • 88,262
  • 77
  • 290
  • 428
maxxon15
  • 1,559
  • 4
  • 22
  • 35
  • IMO, an hidden element containing the `$_SERVER["REQUEST_URI"]` variable is a good solution. – satoshi Feb 18 '12 at 11:40
  • you use: method="post" but profile.php?id=... is a form of GET request. I'm not sure if it works or not - interesting to check! – Nir Alfasi Feb 18 '12 at 11:43
  • @alfasin - Actually I want it to redirect to the same user's page after it is Submitted. Can you suggest any other way? – maxxon15 Feb 18 '12 at 11:53
  • @alfasin - I just checked using `$_SERVER['REQUEST_METHOD']` . It comes in as a **POST** method. – maxxon15 Feb 18 '12 at 13:22
  • @maxxon15 you already suggested another way in the question: input field of type hidden. – Nir Alfasi Feb 18 '12 at 17:41
  • @alfasin - I was looking for other **better** ways. I know that using a hidden field is the easiest way. But not the best one. – maxxon15 Feb 18 '12 at 18:33
  • @maxxon15 why isn't it the best one ? if this page is accessible only after the user is logged in it shouldn't make a difference from security prespective. anyways, as other people already suggested - you can store arguments in the session as well. – Nir Alfasi Feb 18 '12 at 18:54

5 Answers5

3

First of all, there is no reliable way - users can tamper with requests if they want to.

Besides that, there are two ways to get the kind of information you want:

  1. The referer, available via $_SERVER['HTTP_REFERER']: It contains the full URL from which the request came, but some people use extensions/firewalls/etc. that block or even spoof referers
  2. As you suggested, a hidden form element. This always works unless the user actively wants to tamper with the data sent. So that's the preferred way.
ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
1

The $_SERVER['HTTP_REFERER'] will let you know where the request came from.

More info:

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
1

It really depends on how secure and reliable you need it to be. A hidden form field would work although it means you'd need to add it to every form that points to your processing script. It's also easy to fake if someone wanted to. Alternatively you could use $_SERVER['HTTP_REFERER']. This isn't always reliable - I believe it does depend on what browser you're using but should be good enough in most simple scenarios. Another alternative would be to store something in the session and use that. That's probably the most secure as it's all server-side and can't be tampered with, but it is probably the hardest to implement (not that it's rocket science).

liquorvicar
  • 6,081
  • 1
  • 16
  • 21
  • That's a good idea. How about I have a variable like `$this_page = profile.php` which would be there in other pages depicting the page name. I can use that in place of the **profile.php** in my code. Would that be a good way? – maxxon15 Feb 18 '12 at 12:02
  • @maxxon15 I'm not quite sure how your proposed solution would work. Maybe update your original question with some example code? – liquorvicar Feb 18 '12 at 12:50
  • What I'm trying to say is this: `
    id; ?>" method="post" name="formAdd">
    `     – maxxon15 Feb 18 '12 at 13:26
  • @maxxon15 Are you just trying to POST back to the same script? If so you can use $_SERVER['PHP_SELF']. – liquorvicar Feb 18 '12 at 13:30
0

You could save the page in a session variable ($_SESSION["something"] = "page.php"), that is the most secure way, I think, because a hidden input in a form could be changed by the user, and $_SERVER['HTTP_REFERER'] is not always avaliable.

Luan Nico
  • 5,376
  • 2
  • 30
  • 60
  • How about the method I posted on this Answer? http://stackoverflow.com/a/9340839/432720 – maxxon15 Feb 18 '12 at 12:16
  • @maxxon15, your method works, but I don't think it's secure to pass the user id with GET, because the user can easily change it to another user's code. – Luan Nico Feb 18 '12 at 16:30
  • Its a **GET** request? :O But when I checked it through `$_SERVER['REQUEST_METHOD']` it said that it was a POST request! :| – maxxon15 Feb 18 '12 at 18:30
  • This part is GET ."?id=". $user->id; the other part is POST. – Luan Nico Feb 20 '12 at 15:09
0

I would use a hidden field where the value="name_of_referring_page". This way, no matter what the user's settings, firewall, browser, etc you get the info that you want.

adamdehaven
  • 5,890
  • 10
  • 61
  • 84