I'm planning to send a form available on "websiteSend" to "websiteReceive". websiteSend and websiteReceive are two separate domains. No SSL.
I'd like to get a few advice on what I should take care of to make sure it works, and what security holes I should protect against.
Here are a few thoughts:
-form on websiteSend should have a hidden field that is going to be used by websiteReceive to redirect the user.
-form on websiteSend should have a hidden field that tells websiteReceive from where the form has been sent (what would be the appropriate $_SERVER variable that I should match it against?).
-websiteReceive should obviously thoroughly validate data before processing it.
I'm obviously many some key points, so please tell me what to do to secure my application.
I would really do it by using cURL post. To do this just submit the form in SendServer domain itself and do sending stuffs right from there. So that you can send an hidden field by yourself in the code as hard coded and no one will know/predict. See some examples of PHP cURL post:
http://www.askapache.com/php/sending-post-form-data-php-curl.html (most appropriate for you I guess).