0

Ive been struggling with this for a day or two. Not just the coding but explaining the situation precisely. I have a static form on a page, "download-registration.php" when you submit the form (validated CS and SS) it then takes you to "download-software.php" where you can well, download the software. I do not want "download-software.php" to be accessible from anywhere but "download-registration.php" and ONLY after you submit the form. This is the problem I was having with a session based restriction, you could go to "download-registration.php" and alter the url to get to the download page.

I think I need to create a variable (random 1, 65335)? insert that value into a hidden input on click and make sure it matches to a value on the "download-software.php" page?

How do I go about this? does it need to be done this way or is there a better way? Any help is much appreciated!

Dirty Bird Design
  • 5,333
  • 13
  • 64
  • 121

2 Answers2

1

Make whatever you have that processes the form you want to force them to submit also add a variable to the session. Then check to see if that variable is set on the download page.

My guess is that with your earlier session-based approach you were setting something in the session when the form was loaded, but you need to do it when you process it instead if you want to make sure they submit it first.

Edit:

display_form.php:

// ... display the form, you don't need to set any $_SESSION here ...

process_form.php

session_start();

// ... process the form ...

$_SESSION['form_processed'] = 1

// ... redirect to download page ...

download_page.php

session_start();

if($_SESSION['form_processed'] != 1) {
    // user never submitted form, reject them ...
} else {
    // user submitted the form, show them the download page
}
Amber
  • 507,862
  • 82
  • 626
  • 550
  • @Amber - thats exactly right. I was loading the Session variable when the page was loaded. I need to do it when I process the form. I don't know how though, Id appreciate some help! – Dirty Bird Design Oct 12 '10 at 02:13
  • Assuming you're using PHP to process the form, just do the assignment to `$_SESSION[]` as part of the form processing code. – Amber Oct 12 '10 at 02:17
  • @Amber, yes, Im using PHP to process the form, but honestly Im the Creative Director and am short of resources atm. So, I set the variable on the form page, submit it's value with a hidden input then i get lost. Can you use $_POST = $_SESSION[] and then on the final page the if statement? – Dirty Bird Design Oct 12 '10 at 02:21
  • Don't set it on the form page at all. *Just* set it in the PHP code that's processing the form, and *just* read it on the download page. – Amber Oct 12 '10 at 02:24
  • @Amber - awesome. I can see how it works now. I really appreciate it! – Dirty Bird Design Oct 12 '10 at 02:31
  • @Amber - It works in that if you try and hit the page directly it kicks you to another, but I can't get it to work on form submission. Is it possible Im just putting the session start(); and the "$_SESSION['form_processed'] = 1; " in the wrong place? – Dirty Bird Design Oct 12 '10 at 03:19
0

This is pretty common. You see this in large PHP projects like WordPress, CakePHP, etc.

There are many ways, essentially you just need to create a validity token that is generated and passed from your registration form. You can then clear this token on your software page based on your logic.

You can use a random number, md5(), uniqid() or whatever. There's also an nonce library out there.

Community
  • 1
  • 1
Jason McCreary
  • 71,546
  • 23
  • 135
  • 174
  • I was using "$authReq=$_SESSION['authReq']=rand(1,65535); " on the form page and passing it with a hidden input. But I can't get the end page to have the same value, the form processor also doesn't pass any info to the end page, it just redirects there upon submission. – Dirty Bird Design Oct 12 '10 at 02:15
  • Then you need to check it before the redirect in you *form processor*. – Jason McCreary Oct 12 '10 at 02:19
  • How? Man if I knew how I wouldn't be asking. Im a designer/front end developer/CD. This is unknown but doable for me – Dirty Bird Design Oct 12 '10 at 02:24
  • Sorry, I assumed you knew more from your OP. You'd have to post most on your *form processor*. However, looks like **Amber** got it above. – Jason McCreary Oct 12 '10 at 02:36
  • I understand the theory, and if it were a script I wrote Id have a better chance at the application. The processor is tied in with a bunch of crap from SUGAR CRM, and i can't seem to get the session stuff in the right place. – Dirty Bird Design Oct 12 '10 at 12:59