Hi there peoples of DaniWeb,
Does anybody know how to authenticate that a request is coming to one of my pages from a specific server and not from any random script.
The only one I know of is HTTP_REFERER, but I don't think that it's that secure as it can be spoofed quite easily by a telnet connection.
The best thing to do with data input is to ensure that it is properly validated and cleaned. Form spoofing is quite common, but telnet is more sophisticated and will bypass a lot of the barriers you put up.
I was once told to avoid $_REQUEST at all costs.
One technique I saw, and can't remember where, was a hidden key in a form. However, I think that using cURL to get all the info would obviate that.
Thanks for the reply ardav,
My problem is that the page sending the request is a PayPal page, sending details of a transaction to a hidden page on my site, so there is nothing I can do to manipulate the data being sent, and PayPal's website is just a little less helpful than a one legged cat with a chronic fear of yoghurt.
I came across $_SERVER in my research but I don't think it is supported by the php on our servers. Has anyone else heard of this?
Many thanks, again.
So if I get you right, you're concerned that a form on PayPal will be spoofed/or telnetted and you will get all sorts of crap sent to your hidden page. Hmm. Well that leaves out sending keys etc if PP controls the data being sent, otherwise your could have created a hashed hidden field based on the date/time/salt.
You should receive a reference number for the transaction from PP (but having never used the thing, I have no idea). Would it be possible to check against this? Does PP have an API for your transactions?
I had a look at HTTP_ORIGIN but a quick print_r($_SERVER) showed no trace of it for me. I noticed Firefox developers have been playing with it, but can see no more trace of it.
Are you talking about PayPal IPN? If so, they have an api that validates the data they post to your site.
You will just have to spend an hour trying to figure out where they hell the put it on their site.
Thanks guys, managed to find PayPals api and sorted it out.