HTML forms on a PHP-enabled website can at times be tricky to secure.
Many people use a CAPTCHA type method to secure forms, however there may be times when having an Auth-Image is not acceptable.
i.e.: an article rating form.
The below will effectivly block form submission that are faked and not from your website.
Read after function for example usage.
(this will not protect against bots or anything that accesses your form directly from your website.)
this is not meant to be a stand-alone form security measure.
this is intended to be used alongside other form validations
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/**
/** WRITTEN BY:
/** JOE F. (OWNER/DEVELOPER OF BASHMYEX.COM)
/** Free to use for any purpose as long as the
/** proper credits are given to the original author.
*
*
* auth_token - create auth token session value on forms
* if session value does not match form value we know form
* was incorrectly accessed and we can deny the attempt
*
* @param string $pre - generates random secure_check string for hidden field on form
* once value created on form
* turn value into a session to be later compared
* @param string $after - compares session value to form value for above string
* if form string does not match session string then we can
* safely assume the submit page was accessed from an external
* website attempt at copying form and we then deny access
*
* we also check if there is no value set. which would happen
* if submit page was directly accessed or submit was made without
* proper access to begin with.
* empty access is controlled by below function
* empty_check($bash_form=TRUE)
*
* @global $token - used in form hidden field: <input name='securecheck' type='hidden' value='$token' />
* @global $messages - grabs message from our lang.php file
*
*/
function bme_auth_token($pre, $after){
global $bme_token;
$bme_form_secure = bme_auth_token($pre=1, $after=0)
echo"
<form name='bme_article_form' method='post' action=''>
//NOTICE THE PROPER NAME FOR THE SECURE CHECK SECTION!
//FIELD NAME MUST BE: securecheck
form submission page:
//check for proper form value:
//will auto-check if the form value for
//SECURECHECK matches the session generated value
//when form was first accessed
bme_auth_token($pre=0, $after=1)
//if correct, then rest of code below this works.
//if not correct then the error message will be displayed and script stops
