How to safely link to data processing pages in PHP

Question

Let me explain the title: Take the "flag as inappropriate" link on any youtube video as an example. That's basically a link to a page that processes the request (such as, is the person who clicked it a logged-in user, what's the id of the video flagged, etc). If everything goes well, the video is flagged and a right output is given to the user.

My question is, what prevents the user from accessing that processing file from the url, and flagging, say, all videos on youtube automatically? You can't create a session with php IF the user clicks a link, and not wanting to involve JS, I'm looking for a good php-only solution, to ONLY process the data IF someone got to the process page through the right page.

Can you suggest a way to do that, maybe passing another GET variable. You can use the Youtube example if you like.

thanks

Answer 1

If you want to do something like ensure they came from the expected page, you could have a additional GET variable (beyond just the video ID) that's an encryption of a string concatenation of the video ID and the current datetime and some salt for good mesure.

On the receiving page you can check to make sure they have a session and are logged in, and if they are decrypt the GET variable. Ensure that the datetime is valid (say last 10 minutes) and the ID matches the main one sent unencrypted.

You don't want to send the ID of the person clicking it over GET because that's easily manipulated client-side, so rely on the session variable for that.

You can also take advantage of the $_SERVER['HTTP_REFERER']; variable, but I don't think I'd rely only on that.