American horizo;1263877 wrote:
Ok thanks for the suggestion!
I have a doubt... Php file can be accessed from external domains? In other words, the php file that inserts data into the DB can be called from a different domain? There is a way to prevent it?
I don't know exactly what you mean right now. So I'm going off of what sounds about right.
You CAN restrict through what's called a HTTP Referrer, which is the page that is sending you from somewhere towards your server. Some people disable their referrers, though, and I'm not sure if all browsers do it perfectly, so I wouldn't advise you to block referrers. I guess you could also use certain kinds of session variables to guarantee the person is going through certain pages (can't access create account if hasn't accessed main page yet), but I also don't think that's a good solution. And these are all easy to ignore if you're trying to hack a website (pretty much every single thing the client sends your server can be changed, the server can only trust the server itself - and bad practices can make even that a problem).
People cannot download your PHP and execute it at their server, if that's what you're asking. They can only do that with access to the files themselves (like having already hacked your website or through FTP access or something along those lines).
At the very least, your script should check that the person filling your form has all the permissions to send data to the database. If you really don't want to check this server-side, you should just make sure that invalid data can't break anything.