Get url that POST data is comming from?

Question

Is there a way I can select what URL or domain I recive POST data from using PHP.

For example, lets say I make a form submition from a domain called www.test.com and the form looks like this.

<form method="POST" action="www.domain2.com">
   <input type="text" name="test" value="1">
</form>

Is there any way for me in the php code on www.domain2.com get what domain that post data is comming in from (in this exmaple it would be "www.test.com")?

And if its possible, how do I do it?

Thanks for all help!

You can check the referer, `$_SERVER['HTTP_REFERER']` (http://php.net/manual/en/reserved.variables.server.php), but like anything that comes from a client, it can be spoofed and you can't rely on it 100%. — Qirel, May 10 '17 at 16:15
Send the data from the server, and implement some sort of request signing. — Maerlyn, May 10 '17 at 16:19
@Maerlyn Ah okey thanks, but may i ask if you have any exmaple of some request signing because i dont really know how to do that :/ — Anton Kihlström, May 10 '17 at 16:27
The emartech/escher composer lib is what we're using, it works for us. — Maerlyn, May 10 '17 at 16:48

score 0 · Answer 1 · edited May 23 '17 at 12:10

0

If you have access to the code of both websites you can just add a hidden input that has the URL of the submitting form. Encrypt the data, send it, and then decrypt it.

how-to-encrypt-decrypt-data-in-php

edited May 23 '17 at 12:10

Community

1
1

answered May 10 '17 at 16:15

Haskell McRavin

620
5
19

I know, but then the users have th possibility to change the value in the input while inspecting the element so i can't be sure its the correct URl then. – Anton Kihlström May 10 '17 at 16:17
You'll have to encrypt the value then and unencrypt it on the other side and then check the string with a regex or something of the like. – Haskell McRavin May 10 '17 at 16:18
Still, someone can steel the value and use it in their own form from another website if its inside a input tag, right? – Anton Kihlström May 10 '17 at 16:22
Honestly, this is a low quality answer. It should contain an example of code; one that works, since it could be anything. – Funk Forty Niner May 10 '17 at 16:23
if you're using proper encryption the value will be different every time even if the input is the same. – Haskell McRavin May 10 '17 at 16:26
Ah okey, can you link me or show me an exmaple of a encryption like that? – Anton Kihlström May 10 '17 at 16:28
But actually I still dont think this fixes the problem I have, because cant they still load the website and steel the encrypted value and then submit it from thir own website? – Anton Kihlström May 10 '17 at 16:31
If they could encryption wouldn't be worth much... No that's the point of encryption. People that don't have the keys to decrypt your information can't get that information. People without the needed salt and keys can't encrypt information like you encrypt information so if you unencrypt data they tried to encrypt and send to you it it will be gibberish and you could detect that. – Haskell McRavin May 10 '17 at 16:44
Proper encryption is hard, but its the only real additional protection you can give yourself aside from from the protection you get from SSL. – Haskell McRavin May 10 '17 at 16:50

Get url that POST data is comming from?

1 Answers1