ValNZ;1298669 wrote:So I could use a session to prevent this?
What if I don't allow anyone to access the script that processes the POST form without SESSION['logggedin'], they won't be able to?
Yes, that would be a typical approach.
Will they be able to make their own _POST script and go to that page if they were also logged in to my site with that session?
Yes, they could. They could even write a cURL script to go to the login page, enter their login credentials, and save the resulting session ID cookie, which they would then send with their POST request so that they have a valid session. If they are smart enough and find it worthwhile enough to do so, you'll likely never be able to tell whether it's from a "live" source or a script. If it's really a problem for you, then you could try adding a "captcha" field to the form. Even that is somewhat vulnerable if they really, really want to do this. (E.g.: their script could grab the captcha image, send it to some sweat shop in a 3rd world country where some poor soul sits there waiting to type in a response, which the script then uses to submit its request to your site.)