Re: Form post without a HTML form?

[bungle]

You need to secure the process differently, you can never assume form data hasn’t been interfered with, so you need to validate everything server side.

The best way is to use a token that changes

We are basically talking about CSRF (Cross-site request forgery) protection. If you want to do this then you need to just make sure that the token you are using to validate changes regularly so that you don’t need to worry about keeping it secret.

What you do it write the PHP session ID to a token in your page and then use it to validate the form posting against the authenticated session/user.

So put in your page

"/>

and then on validation do

if ($_GET!==session_id()) {

header('location:error.php');

}

if the user does not have an authenticated session active, or if they have an out of date session id then they won’t get any further. You can always regenerate the session id on every successful request to further secure it.