You are right. It's painfully easy to fake the referer to make it say
anything you want it to.
I do it occasionally to screw with people's heads ;)
Making the referer become something like www.fbi.gov is always a hoot.
So using referer really isn't a very good solution, and many browsers just
screw it up or ignore it anyway. Early versions of AOL did this alot, and
konqueror apparently has problems too.
And anyone who uses Proxomitron can set their referer to anything they'd
like, so that's not good either.
However, you can just log the referer of anyone that posts to your app, so
you can go back in and look to see if any mysterious referer's are being
used. But never hard-code a forced referer as you're only going to set
yourself up for nasty emails and a false sense of security.
As I said, assume any piece of data coming from outside your script to be
both faulty and possibly malicious. Just because your paranoid doesn't mean
they aren't out to get you...
--
Plutarck
Should be working on something...
...but forgot what it was.
"Les Neste" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Correct me if I'm wrong, but isn't it possible to fake the referrer?
>
> This may not matter for your application -- are you writing a financial
app
> or a personal portfolio? -- but if you really need to authenticate the
> source of data that comes from some other IP address (as is the case with
a
> web browser) then you're into PGP keys and signed certificates.
>
>
> At 11:18 PM 4/3/2001 -0700, Dallas K. wrote:
> >If you want to check where your submit is comming from, then you need to
> >check the REFERER url..... do so by useing the global $HTTP_REFERER
> >variable.
> >
> >
> >global $HTTP_REFERER;
> >
> >if($HTTP_REFERER == "YOUR_FORM_PAGE_HERE")
> >{
> > //PROCESS CODE.
> >}
> >else
> >{
> > echo"Your a hacker, so BITE ME!!!";
> >}
> >
> >
> >
> >
> >----- Original Message -----
> >From: "Plutarck" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Tuesday, April 03, 2001 7:58 PM
> >Subject: [PHP] Sneaky solution
> >
> >
> >> > How do you check to make sure that any
> >> > form submissions originate from your site?
> >>
> >> You basically can't.
> >>
> >> ...well that was easy ;)
> >>
> >>
> >> All you can do is assume that every single piece of data sent from the
> >> client is an attempt to screw up your application. After stripping
> >non-valid
> >> characters and using strlen to ensure the data is of a valid size,
there
> >> isn't much you can do. But if you know ahead of time that the date
should
> >> _NOT_ be 1998, just encode such a validator.
> >>
> >>
> >> But if you want to be really sneaky, make something like this:
> >>
> >> value1=vally|val2=vooly
> >>
> >> Then run it through some encryption feature or a home-brewed scrambler,
> >and
> >> make the whole thing one single "hidden" value.
> >>
> >> In your script you decode it, split it apart into proper variables, and
> >> continue along as normal.
> >>
> >>
> >> Still not fool proof, but I use it when I have no other better method.
And
> >> it basically thwarts 99% of casual tinkerers, and an equal amount of
> >script
> >> kiddies, and it allows you to be really creative in your data
validation,
> >> plus you can screw with people's heads...which of course is the most
> >> important function ;)
> >>
> >>
> >>
> >> --
> >> Plutarck
> >> Should be working on something...
> >> ...but forgot what it was.
> >>
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >> To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> >>
> >
> >
> >--
> >PHP General Mailing List (http://www.php.net/)
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
............................................................................
> Les Neste 678-778-0382 http://www.lesneste.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
