I use $_POST to read data sent through HTML forms to the server, narrowing down attacks exposure.
How can I strengthen security, using some kind of tokens in the form?
The tokens could be readable however with a sniffer…..

**** EDIT *****
I agree the message above is generic…I’ll try to give more details!

Ok, a PHP/Server generates emails containing some data for a sort of user-revision; this is accomplished with an HTML email containing HTML forms. When users receive those emails, they edit data in the forms, and send it back to the server, that in turn it will store it in the database.

While for other types of interaction users/server, login/authentication is required, in this case some particular email clients, like mobile phones, do allow reading HTML email messages and process forms, unfortunately without allowing client authentication (server side login) prior processing the form.

What happens on the server side when forms are received?
Well $_POST is used, removing potential GET weakness, however using $_POST will not prevent other kind of attacks, just because a sniffer can easily “read” data being sent.

Data on the server side is parsed and stripped accordingly, removing unsafe Javascript and quoted text to prevent injections and other sort of attacks.

That’s why I was looking for a sort of token/nonce technique, however I thought that tokens are sniffable within the form….. and that’s where my help request starts!