How about posting the form values to mask1.php page and including a redirect header with required values to your secret.php page and again redirecting it to final.php page with the computed values. This is a quick thought from my side, let me know if it works. I m sure there is better sol fr this prob.

There shouldn't be an issue with this as long as you lock down the code with form validation. All the data should be checked for datatype and sanitized. You could create a hashed verification code with the form to ensure that it was sent from that page (not spoofed), although this can be circumvented. Making multiple redirects sounds a bit extreme.

php forms
self posting, the user sees very little not even a filename, everything is on the server
the default action for a form is to post to itself

you mean u dont want user see where the form redirected when the user view its source code?


tried and tested....this should hide the action attribute of the form... but it still show in the url. if you want to change the url. then you have to use .htaccess. after all you only want the action attribute to be invisible... so i just give u what u ask.

@AB - thanks - straightforward - cutting through the nonsense as usual. How about validation? Will lacking an action attribute cause failure?

As for js redirects: will not the client pick up the redirect as it is client-based (js), i.e. redirect after page has loaded. Whereas (*I think*) the php header() will redirect before page load on client and therefore hide its tracks. Thought WCAG had suggested that all redirects should be server-side. Maybe wrong here.

What about page refresh? Won't sending the form to itself resend the form on refresh?

Is all this 'hiding' necessary in the first place? $_SERVER['HTTP_REFERER'] could check the 'sender' and if it is not the form sending page - alert, alert, alert. I know it can't be trusted 100%.

$_SESSION variables could be used to store a string (e.g. salt + unixdatetime + another salt) which could be checked against a hidden field (hashed) in the form.

The receiving form handler page then checks the session variable for a value and then hashes it and then compares it to the hidden form field. If 'true' then form "must" have come from the true form page. Where 'false' bounce user back to form page with a message.

ei by the way im not copying AB's post. Actually when i read this post, i only see kivata and ardav post. And im pretty slow coz. i test it 1st and run on my localhost before i submit my solutions. Upon submitting i was surprise AB's post 1st on my post.

Yeah, yeah. I always use that excuse too!

waaaaaaaaaaaaaaaaa! seriously dude! i didn't mean it!

no the default action is valid to xhtml and html5, it is only necessary to supply an action if the form is NOT posting to itselfquite correct, the php given should have used a header redirectno 'post' destroys the datadidnt suggest the process was necessary, but the OP could be creating the login page for nuclear missile control sites....

Lgin: xxJoshua,
'Hello Doctor, Do you want to play a game?'
Global Thermonuclear War

only they know how much security/obscurity they require