How do I provide more security for checking source of the request

Question

I am developing one PHP web application, I want to provide more security to application so that no one can easily break the functionality.

Brief explanation about my

Answer 1

Lesson #1 in web security: NEVER trust user input. And when I say never, I mean never. ;) Including the HTTP_REFER var in PHP which is easily compromised with an http header (source: http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se)

A possible solution in checking the source is the using a form token (csrf protection): http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/ but isn't that safe either and is only possible with your own source.

A simple CSRF (cross-site request forgery) protection example: (Hence the simple. For a more safe/robust solution, refer to the answer of The Rook)

1) In your form page, create some kind of token and put in your session and in a hidden form field:

2) In your form handler check if the token is valid.