PHP form protection

[Alexancho]

I created a Contact Us form and perform some usual checks for received data.Something like that:

//Make sure that the input come from a posted form. Otherwise quit immediatelyif (($_SERVER['REQUEST_METHOD']) != 'POST') {die("You can only reach this page by posting from the 'Contact Us' form");}	if (isset($_POST['fname1']) && !empty($_POST['fname1'])) {$name = $_POST['fname1'];} else {die('Something wrong with the name!'); //fields sent from form "Contact us" can not be empty. It checked by JS before sending.$name = mysql_real_escape_string($name);etc.

Is it enough in general? And the second question: I want to be sure that data i received came from my "Contact us " page and not from any other place. How can i do it? How can i know from where the data came?

[boen_robot]

You could check if $_SERVER['HTTP_REFERER'] matches the URL of the page you're expecting. Keep in mind that an attacker could fake it, and some legitimate users may choose to disable referer sending for privacy concerns, so it's not a reliable method. And no, there isn't a more reliable one.The best way to ensure that the form is submitted for processing, and not for something else is to define the "something else" as showing the form (with error mesages if you must). In other words, consider making this PHP file also be the form itself.The HTTP method check is somewhat redunant I must say. Regardless of request method, PHP will create the POST array based on the request content if it can, and if not, it will simply leave it empty. Either way, if the request content is appropriate, why not act upon it? If you had special actions for different HTTP methods, then it would be good to do this check first, and switch accordingly, but in your case, it's pointless.BTW, for what you're doing, I think it could be wiser to do something like:

//Make sure that the input come from a posted form. Otherwise quit immediatelyif (($_SERVER['REQUEST_METHOD']) != 'POST') {die("You can only reach this page by posting from the 'Contact Us' form");}  if (!isset($_POST['fname1']) || empty($_POST['fname1'])) {   die('Something wrong with the name!');}$name = mysql_real_escape_string($_POST['fname1']);

I see no reason to store a value in a variable, only to replace it on the next line. Converting your die()-ing logic allows for that to happen in a cleaner fashion.

[End User]

Is it enough in general?

I use a couple of techniques to stop bots and repeated form submissions (like when they press refresh and resubmit the form over and over).1) I generate a timestamp with javascript and stick it in a form field.2) When they click submit, I generate another one (again, using javascript) and stick that into another form field.When the form is submitted, if the two timestamps aren't at least ten seconds apart (or if either one is missing), I fail the form. A human will almost always take at least 10 seconds to fill out the form in question (almost impossible not too, really), but a bot will hit the page and submit it in a second or less.Part two is when they successfully submit the form and the data is saved, I set a session var with the current time. The next time the form is submitted I check that session var; if it hasn't been at least one minute, it fails the form.These two steps seem to confound the bots pretty well, partly because step one relies on javascript (which not many bots use) and step two prevents flooding the database with loads and loads of entries. And it also stops users from accidentally double or triple posting stuff.