How To Prevent Other websites from requesting my website request files like adding posts, fetching posts $_SERVER['HTTP_REFERER'] didn't work with me

Question

this is creating post file

<?php
include "./database_credentials.php"
session_start();

//using try statement in order to stop php from printing database credentials

try {
   $db = mysqli_connect($host,$username,$password,$db_name)
} catch (Exception $e){

// to alert the client that website is down using json.parse

   echo '{"error":0}';
   exit();
}
if(isset($_POST['text']) && isset($_SESSION['username'])){

   //escape strings to prevent sql injections

   $username = mysqli_real_escape_string($db,$_SESSION['username']);
   $text = mysqli_real_escape_string($db,$_POST['text']);
   $query = "INSERT INTO `posts_table_name` (`username`,`posts`) VALUES ('$username','$post')";
   mysqli_query($db,$query);
   mysqli_close($db);
   exit();
}
?>

I tried to check http Referer variable from server variables but it didn't work and saying : undefined array key 'HTTP_REFERER' in array [$_SERVER]

**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Jun 10 '23 at 23:07

How To Prevent Other websites from requesting my website request files like adding posts, fetching posts $_SERVER['HTTP_REFERER'] didn't work with me

0 Answers0