Securing credit card checkout - $_SERVER['HTTP_REFERER'] verification

If $_SERVER['HTTP_REFERER'] cannot be trusted according to PHP documentation, how do you be sure that the POST is coming from our own server? Is sessions the only way?开发者_JAVA技巧

You should look into the standard "cross site request forgery" prevention techniques. These will provide you with some security that the post is coming through your server/code.

Use an nonce field and verify it on form post. Using a nonce (number used once) is the best way to protect against a cross-site request forgery (CSRF) hacker-attack.

Here this library will be very helpful to you http://fullthrottledevelopment.com/php-nonce-library

Its based on how wordpress handles nonce fields.

You might as well see the wordpress code to see how it handles nonces. There are two functions wp_create_nonce() that creates an nonce value to be used in a hidden field in the form to be submitted, and then there is the wp_verify_nonce() that verifies the nonce after submission.