Checking for page origin
I’d like to talk about a bit of security programming.
Let’s look at a contact form. This is usually a form that the user fills out to communicate with the web owner. You can have email, comments, and possibly other types of fields to fill out. When this is submitted, the information is then emailed to the designated person.
One problem that has arisen from these types of forms is that a hacker will get the html of the form and save it on their local machine. They then write a script to use that to send out spam email. If it is an especially bad form, it will store the email to send to in a hidden field. All the hacker has to do is change that email in the script he creates a loop the script. They then read a list of emails to substitute in there each time. So essentially, this list of people gets a spam email that is using your form and mail out script. So the person think you are spamming them!
To help get around this, we can add some security code to the script. First, we don’t put any emails in hidden fields on the form. Then, the only place the emails get sent are in the explicit emails in our code.
Next we add some code at the top of the page that has the email code. This will check to ensure that the information was submitted from the proper place. On the first page, when you click submit, it passes to page 2 the name of the domain and web page used to submit the information. We can add security code to check that the submitted information is from the correct web domain (and not a hackers computer) and is the correct page name. This helps ensure that we only work with valid information.
This is just one of the security measures we are taking with web projects.