How do I prevent others from sending their own data to my php page?

Question

Suppose I have a registration page in my website that contains a registration form:

<form action="register.php" method="post">
<input name="...">
<input...>
...
<input type='submit'>
</form>

Then someone else made his own page and used my form's action page:

<form action="http://mywebsitename.com/register.php" method="post">

Can he post his own data to my page this way? If so how can I prevent this?

Edit: It seems that using a token and storing its value in a session variable does not prevent someone from submitting data from his own form (even if the token is generated every page request) by first opening my original page (so a session for him is started and a token for that session is generated) and then using that token in his own form, while still in the session.
So I think Quentin is right, data must be validated anyway in the action page before it is accepted.

Thanks everybody.

Answer 1

Given:

• Alice, a person with a browser
• Bob, a person with a site (you)

There is no way for Bob to control what Alice submits. Your HTTP server is your public interface and you don't control what goes on outside it.

You must:

• decide how much you trust the data coming in (auth / authz can help here)
• sanity check submitted data (to see if it looks plausible (is this date a date? is this the 3rd account registration from the same ip address in the last 10 minutes? etc))
• escape data before using it as code (e.g. in SQL statements or HTML documents)

If we add to the list of players:

• Mallory, a malicious person with another site

You can make it very hard for Mallory to trick Alice into submitting malicious data (which would arrive with Alice's user credentials). The usual defences against CSRF (i.e. tokens that are unique per session and stored in the session data and in the form as a hidden input) should be used.