How do I discriminate between user input sent to my processing.php page from my form page vs any other form page? -

basically, trying prevent processing page processing forms sources other own.

my form

<form action='processing.php' method='post'> <input type='text' name='first' value='firstname'> <input type='submit' name='submit' value='submit'>

their form

<form action='processing.php' method='post'> <input type='text' name='first' value='firstname'> <input type='submit' name='submit' value='submit'>

how can make sure i'm processing forms sent form, or can i?

yes, can (and reflex think it) creating unique token , using token validate origin.

this 1 way of preventing csrf attack.

you can store token on server when generate form page (for example in session), output in form , validate upon submission.

so :

<?php // generate token $_session['csrftoken'] = hash('sha256', uniqid());

in form :

<form>  <?php // render token inside form  echo '<input type="hidden" name="tk" id="tk" value="' . $_session['csrftoken'] . " />';  ....

then validate :

<?php // validation inside submission if ($_session['csrftoken'] !== $_post['tk'])  {      // error ... }

Print F