I’m looking for the safest way to not allow my web form, which uses PHP and MySQL, to be posted to from off site. I’ve done some searching and found that most people suggest setting a hidden field in the form and a session variable with a md5() hash value and check for it on form submission. But that doesn’t seem very secure because the md5() hash value can be seen in the source of the form in the hidden value.

Here is my idea to not allow off site form submissions. It’s a bit more resource intense with the database calls but looks to be more secure because the code hash is never sent to the client side.

Please take a look at it and see if you can poke any holes in this security measure to prevent off site form posts.

// First time form loads
if (!$_POST) {

    session_start();

    $code_options = array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','P','Q','R','S','T','U','V','W','X','Y','Z','1','2','3','4','5','6','7','8','9');
    for ($i=1; $i<=20; $i++) {
        $code .= array_rand(array_flip($code_options), 1);
    }

    // Insert new record
    $con = connect_to_db(); // connects to db
    $sql = "INSERT INTO security_table (form_code) values('$code')";
    $result = run_query($sql, $con); // runs the query

    $_SESSION['formcode'] = $code;
    $_SESSION['formid'] = mysql_insert_id();

}

// If form was posted to    
if ($_POST) {

    session_start();

    $con = connect_to_db();
    $form_code = mysql_real_escape_string($_SESSION['formcode']);
    $form_id = mysql_real_escape_string($_SESSION['formid']);

    $sql = "SELECT form_code FROM security_table WHERE form_code = '$form_code' AND form_id = '$form_id '";
    $result = run_query($sql, $con);

    if (mysql_num_rows($result) > 0) {

        // Process the form

        // If form processes successfully
        $_SESSION['formcode'] = "";
        $_SESSION['formid'] = "";

    }else{

        // Error

    }

}