NYCPHP Meetup

[nycphp-talk] <a href> vs. <form> request

Chris Shiflett shiflett at php.net
Wed Apr 16 19:07:10 EDT 2003


--- Jerry Kapron <nyphp at newageweb.com> wrote:
> I'm trying to figure out how I can restrict people to using an <a href> link
> to send a request to a script.

You can't really do that. When someone clicks a link, their browser sends an
HTTP GET request. If someone wanted to write their own form that used a method
of "get" and submitted to the same URL, they could reproduce this exact same
request. Of course, they could also just manually send their own GET request,
though that is less convenient.

I'm not sure what sort of security you think is lessened by this fact. If you
are wanting to make sure people can only access a particular page, it is best
to use sessions or something and just make sure that person has access.

If you are particularly concerned that the user clicked your specific link, you
can use something like a shared secret. For example, when you generate the
link, attach a URL variable to it that you also keep on the server (in the
session or something). You can then check to ensure that this URL variable is
correct when determining whether the user can access the page.

Maybe that gives you some ideas. I recommend, however, that you don't concern
yourself with what happens on the client. This can lead to a false sense of
security. It is best to consider each HTTP request as a request that can truly
be anything. Use your own programming logic to determine the rest.

Hope that helps.

Chris



More information about the talk mailing list