How do I prevent others from sending their own data to my php page?

Question

Suppose I have a registration page in my website that contains a registration form:

Answer 1

One method is to have a token (which could be a long string of random letters and numbers) that you place in a hidden input field in your form. For example

Then when you process your form submit you can check to see if this token exists and it matches the token you are expecting. Of course someone could easily check your source code to find the token so you may want to make a token that expires.

For example when the page with the form loads you could save the token to a session

$_SESSION['token'] = '345kfnakvngk3kglvnd00dsg9';

then you can check to see if the $_POST value matches the value in the session. By using a new token on each page request it makes it more secure.

Using this kind of approach should go some way to stopping spammers but you still need to be careful with what you do for the form submits that you do process. Basically a good rule is to treat anything that get submitted through your form as a threat you so you will want to

• Sanitize any data that you are going to insert into your database
• Strip out any JavaScript that may have been injected
• Only allow files with certain extensions to be uploaded

etc