1

I just want to ask for some tips if thats okay For handling html/javascript form submissions What is the best way of submitting forms to a given url and making the url, in this case action="website.com/formsubmit.php" non-changable or hard to change?

Say if I have some data submitted in a form, I only want that data to go to one page, not any other page else it may cause errors for other pages reading for $_POST requests? For example:

Form goes to/page1.php on submit. I have another page called /page2.php which also handles form submission for another form, how do I make it so the user can't change the action of the form to go to page 2 or another page, if that makes sense?

If it isnt possible client-side how would I check for a form via POST request via server-side in php where the form is the one from page one and not from another page falsely sent by the user, like when a form is submitted to a php page, how would I know it is that form from page one sent, is there an identifier you can check for in php that cant be changed client-side on the form or anything? I may not be making sense here but I hope some answers you provide, if any will help me understand a bit better about form submissions.

Lol Boi
  • 33
  • 8
  • "how do I make it so the user can't change the action of the form to go to page 2 or another page" - the user never sees your PHP, so cannot change it – Mawg says reinstate Monica Mar 08 '18 at 14:40
  • Also https://stackoverflow.com/questions/8532356/secure-way-to-stop-users-from-forging-forms or https://stackoverflow.com/questions/18167085/php-prevent-client-from-tampering-the-id-of-a-form or [many many more](https://www.google.ca/search?q=site%3Astackoverflow.com+prevent+people+from+tampering+with+forms&oq=site%3Astackoverflow.com+prevent+people+from+tampering+with+forms&aqs=chrome..69i57j69i58.7976j0j7&sourceid=chrome&ie=UTF-8). – user229044 Mar 08 '18 at 14:42
  • As I'm reading this, that dupe isn't what the OP wants. The OP is asking how does he verify the source of a form submission. The corect way to do this is via [an anti forgery token](https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php) – Liam Mar 08 '18 at 14:43
  • 1
    @Mawg I'm not on about php what you quoted, that would be html of the form, which users can change, I know php can't be viewed by users unless they obviously have access to ftp or source files. – Lol Boi Mar 08 '18 at 14:43
  • 1
    The gist is that users can submit absolutely anything they like, to any and every page your server hosts. It's up to you to validate every single user input, on every single page, every single time. – user229044 Mar 08 '18 at 14:43
  • Thanks @Liam I will look into anti forgery tokens! – Lol Boi Mar 08 '18 at 14:49
  • 1
    Anti cross origin request forgery tokens are only useful if the visitor (Alice) has been tricked by the attacker (Mallary) into submitting a form to your (Bob's) site. It won't help defend against Alice intentionally submitting bad data to Bob. If that is what you want, then your question is still a duplicate and I've amended the list at the top of account for that. – Quentin Mar 08 '18 at 15:02

0 Answers0