[EMAIL PROTECTED] (Chris Shiflett) wrote:

>--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
>> Many PHP programmer tried to their best to use
>> HTTP_REFERER so they can keep track of which
>> webpages on the current website did the user
>> last visited.
>
>I think I see what you are referring to now.
>
>The reason that many people (myself included) discourage
>the use of REFERER for this purpose is not only because
>support is inconsistent, but also because it is not
>required that a Web client send this header. In fact, the
>only required header in the latest version of HTTP (1.1) is
>the Host header. So, it really boils down to not depending
>on something that is not guaranteed to be there.

It even dangerous to rely on HTTP_REFERER because it's not under your
control. The client could set the HTTP headers itself (e.g. a php
script using CURL, www.php.net/curl). You should at least combine the
REFERER check with a valid session on your host or look for a
corresponding log entry or something alike.

Christoph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to