You could add an extra field consisting of an encrypted* checksum of the existing fields. This will allow you to detect tampering and that data came from your own script since only your script knows the key used to encrypt and decrypt the checksum.

Alternatively (and more commonly used), you could store a session id instead of the data in the hidden fields. On the downside, this requires some sort of database to hold the data associated with the session. The security in this method comes from the near impossibility** of guessing the long session ids of active sessions.

* – A symetric encrpytion algorithm, such as Crypt::Rijndael, would be ideal.

** – If you're using 128 bit session ids, and there are 1024 (2¹⁰) active sessions on your site, the attacker has a 1 in 3.3*10³⁵ (2^(128-10)) chance of guessing an active session id.

No good. The referrer can be faked as easily as the hidden fields.

The Referer is completely client-dependant in if it's sent, what it sends etc. You shouldn't trust user input if you have to be sure of something.

edit: Woops, this should've been an answer to marto.

---

Ordinary morality is for ordinary people. -- Aleister Crowley

Reparented from Checking Referring Page? by Arunbear

Apparently my server doesn't do $ENV{HTTP_REFERER}...can't seem to find it in my %ENV test, anyways.

---

My Website
Get Eated!

Don't forget there is no referrer if you're loading a page directly. You have to have clicked through something. Try putting a dummy link to stay in your CGI and see.

use CGI qw(:standard);
print header(), start_html(); # <-- update to run/test w/o changes
print a({-href=>url(1)},
        "self-check: ",
        referer() || 'no referrer');
[download]