Say I just create a local html file with a form that submits to my actual website, using the correct input names and such. What exactly should be done to prevent my page from carrying out the action that wasn't requested in a page ON my website?

From the research I've done, I've found a few different solutions but am always informed that this isn't full proof.

One method was to create a session variable of an md5() in the form.

Another was to check the referrer, which can be spoofed from what I've read.

And one other way...an expensive, not going that road solution, would be SSL.

So I was hoping you kind folks could give me some insight on maybe a procedure I should go through to prevent this kind of manipulation.

Using a combination of session variables and referrers is a good start, but as you said, these can be spoofed (the session variables are pretty hard though).

Ultimately, it's really hard to check whether the user is coming from your website or not.

The question becomes... Is it important? If the user is authenticated, and their form data is valid, does it matter whether the form they submitted is from your website? You should be doing input validation anyway, so I can't think of a situation where it makes a big difference.

Ya I was thinking the same thing. I think what it comes down to is I have to verify this person and what they're doing is valid. Like say their editing agolf course they created. It should be them ( as far as I can tell) and it should be THEIR course, not some other courses (via an ID).

The other thing I was thinking about is select and options...since those really shouldn't be anything but what I make it, they could create the same form with different values...but that's where the validation comes in.

So all in all, validate ALL input, even if it seems like it shouldn't need validation (hidden text boxes, drop downs, radio buttons, etc).

Exactly. Never use user input when accessing a database without validating their input. This includes cookies and referrals as well by the way. And of course, always make sure you escape possible SQL injections.