Re: [PHP] http_referer. what's wrong with that?

2012-01-11 Thread Ken Robinson

At 12:27 AM 1/12/2012, Haluk Karamete wrote:

Because I got this

echo $_SERVER['HTTP_REFERER'];

I end up with this

Notice: Undefined index: HTTP_REFERER in
D:\Hosting\5291100\html\blueprint\bp_library.php on line 16
die;

Now, this is of course after the   change.

One solution is to dodge it by

echo @$_SERVER['HTTP_REFERER'];


The better way to avoid the error is to do something like

echo (isset($_SERVER['HTTP_REFERER']))?$_SERVER['HTTP_REFERER']:'No 
referrer set';


Which checks to see if it's set before echoing the value. If it's not 
set, you get a message saying so.


Ken



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] http_referer. what's wrong with that?

2012-01-11 Thread Haluk Karamete
Because I got this

echo $_SERVER['HTTP_REFERER'];

I end up with this

Notice: Undefined index: HTTP_REFERER in
D:\Hosting\5291100\html\blueprint\bp_library.php on line 16
die;

Now, this is of course after the   change.

One solution is to dodge it by

echo @$_SERVER['HTTP_REFERER'];

But I'm still curious, what configuration am I missing so that
http_referer is treated like that?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER with javascript: document.location

2006-04-18 Thread Richard Lynch
Probably uses the same thing you're trying to use, which is NOT reliable.

Works for most browsers in most situations, but not reliably.

Walking through your web access logs can also sometimes use heuristics
regarding time and IP address to "guess" which users are unique or
not, but they are not really accurate.  Just guesses.

Websites that claim "# unique visitors" are either:
A) Guessing
B) Requiring a login

If it's A, and you want to compare 2 sites, and both sites aren't
using the same methodology to determine "unique visitor" your
statistics have to be taken with a huge grain of salt...

There is no magical solution out there that any log analysis website
statistic engine is using -- It's all assuming the browsers aren't
lying (and some of them are) and guesswork.

Again I say:  If you NEED to know the REFERER for sure, then YOU have
to track it.  Nobody will do it for you.

If you don't really care and just want a "guess" then you can use
REFERER.

On Tue, April 18, 2006 5:01 pm, Yudie wrote:
> Thank you for your advise.
>
> I guess it's impossible to get reliable value referrer from another
> site?
> How about the website statistic engine out there be able to get the
> referrals address'
>
>
>
> - Original Message -
> From: "Richard Lynch" <[EMAIL PROTECTED]>
> To: "Yudie" <[EMAIL PROTECTED]>
> Cc: 
> Sent: Tuesday, April 18, 2006 4:16 PM
> Subject: Re: [PHP] HTTP_REFERER with javascript: document.location
>
>
>> On Tue, April 18, 2006 12:49 pm, Yudie wrote:
>> > Does anyone know how to resolve my problem
>> > I tried to get the referer url with $_SERVER['HTTP_REFERER'] but
>> > returns
>> > blank when I use javascript: document.location='...' from the
>> previous
>> > page.
>>
>> Don't do that.
>> :-)
>>
>> More specifically, no browser is required to provide HTTP_REFERER,
>> so
>> that value is completely un-reliable.
>>
>> If, for some reason, your application NEEDS the preceding page,
>> you'll
>> need to track it in the URL, or in their session, or through some
>> mechanism that YOU control.
>>
>> Rule #1:
>> Never, ever, ever, trust the browser.
>> Or the guy/gal/bot using it, for that matter.
>>
>> Hope that helps, even if it's *so* not what you wanted to hear.
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.385 / Virus Database: 268.4.3/317 - Release Date:
>> 4/18/2006
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER with javascript: document.location

2006-04-18 Thread Yudie
Thank you for your advise.

I guess it's impossible to get reliable value referrer from another site?
How about the website statistic engine out there be able to get the
referrals address'



- Original Message - 
From: "Richard Lynch" <[EMAIL PROTECTED]>
To: "Yudie" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, April 18, 2006 4:16 PM
Subject: Re: [PHP] HTTP_REFERER with javascript: document.location


> On Tue, April 18, 2006 12:49 pm, Yudie wrote:
> > Does anyone know how to resolve my problem
> > I tried to get the referer url with $_SERVER['HTTP_REFERER'] but
> > returns
> > blank when I use javascript: document.location='...' from the previous
> > page.
>
> Don't do that.
> :-)
>
> More specifically, no browser is required to provide HTTP_REFERER, so
> that value is completely un-reliable.
>
> If, for some reason, your application NEEDS the preceding page, you'll
> need to track it in the URL, or in their session, or through some
> mechanism that YOU control.
>
> Rule #1:
> Never, ever, ever, trust the browser.
> Or the guy/gal/bot using it, for that matter.
>
> Hope that helps, even if it's *so* not what you wanted to hear.
>
> -- 
> Like Music?
> http://l-i-e.com/artists.htm
>
>
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.385 / Virus Database: 268.4.3/317 - Release Date: 4/18/2006
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER with javascript: document.location

2006-04-18 Thread Richard Lynch
On Tue, April 18, 2006 12:49 pm, Yudie wrote:
> Does anyone know how to resolve my problem
> I tried to get the referer url with $_SERVER['HTTP_REFERER'] but
> returns
> blank when I use javascript: document.location='...' from the previous
> page.

Don't do that.
:-)

More specifically, no browser is required to provide HTTP_REFERER, so
that value is completely un-reliable.

If, for some reason, your application NEEDS the preceding page, you'll
need to track it in the URL, or in their session, or through some
mechanism that YOU control.

Rule #1:
Never, ever, ever, trust the browser.
Or the guy/gal/bot using it, for that matter.

Hope that helps, even if it's *so* not what you wanted to hear.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] HTTP_REFERER with javascript: document.location

2006-04-18 Thread Yudie
Does anyone know how to resolve my problem
I tried to get the referer url with $_SERVER['HTTP_REFERER'] but returns
blank when I use javascript: document.location='...' from the previous page.

Thank you.

Yudie

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_REFERER

2004-08-05 Thread Curt Zirzow
* Thus wrote Shaun:
> Hi,
> 
> I seem to have problems redirecting pages when I view my site using my
> laptop, the only difference is that my laptop has Norton Firewall installed,
> can this interfere with the $HTTP_REFERER variable and if so is there a more
> reliable alternative?

The reliable way to set yourself up with a self contained referrer,
is by using sessions.

At the very end of each script can set a session variable something
like:

$_SESSION['last_page'] = 'http://yadayada'.  $_SERVER['REQUEST_URI'];

That way during the current request you will know where they were
last.

There are gotcha's with this, like browser caching and the like.

The other alternative is passing the page they are comming from all
the time, which can get real ugly.


Curt
-- 
First, let me assure you that this is not one of those shady pyramid schemes
you've been hearing about.  No, sir.  Our model is the trapezoid!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] $HTTP_REFERER

2004-08-05 Thread Ed Lazor
Shaun,

Jason is suggesting that you turn Norton off to help troubleshoot the
problem.  In other words, verify that Norton is the problem.

Also, people are suggesting that the display of your web pages not depend so
significantly on the HTTP_REFERRER variable.  Perhaps we can help you come
up with a better solution if you tell us what you're trying to accomplish.

-Ed



> -Original Message-
> From: Shaun [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 05, 2004 9:26 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] $HTTP_REFERER
> 
> Hi Jason,
> 
> Thanks for your reply, but really I need a solution that will allow me to
> let users view the site without having to worry about any firewalls they
> might have installed!!!
> 
> 
> "Jason Davidson" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Its possible norton firewall OR your browser is altering the headers.
> > how are you redirecting, norton may not allow for some kind of
> > redirects either.  Try turning norton off, and visiting the page :)
> >
> > Jason
> >
> > "Shaun" <[EMAIL PROTECTED]> wrote:
> > >
> > > Hi,
> > >
> > > I seem to have problems redirecting pages when I view my site using my
> > > laptop, the only difference is that my laptop has Norton Firewall
> installed,
> > > can this interfere with the $HTTP_REFERER variable and if so is there
> a
> more
> > > reliable alternative?
> > >
> > > Thanks for your help
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] $HTTP_REFERER

2004-08-05 Thread Ford, Mike [LSS]
On 05 August 2004 17:18, Shaun wrote:

> Hi,
> 
> I seem to have problems redirecting pages when I view my site using my
> laptop, the only difference is that my laptop has Norton
> Firewall installed,
> can this interfere with the $HTTP_REFERER variable

Not only can, does!  Other firewalls or proxies may alter it, some will simply block 
it, and anyway it can be forged by the user.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_REFERER

2004-08-05 Thread Shaun
Hi Jason,

Thanks for your reply, but really I need a solution that will allow me to
let users view the site without having to worry about any firewalls they
might have installed!!!


"Jason Davidson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Its possible norton firewall OR your browser is altering the headers.
> how are you redirecting, norton may not allow for some kind of
> redirects either.  Try turning norton off, and visiting the page :)
>
> Jason
>
> "Shaun" <[EMAIL PROTECTED]> wrote:
> >
> > Hi,
> >
> > I seem to have problems redirecting pages when I view my site using my
> > laptop, the only difference is that my laptop has Norton Firewall
installed,
> > can this interfere with the $HTTP_REFERER variable and if so is there a
more
> > reliable alternative?
> >
> > Thanks for your help
> >
> > -- 
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_REFERER

2004-08-05 Thread raditha dissanayake
Shaun wrote:
Hi,
I seem to have problems redirecting pages when I view my site using my
laptop, the only difference is that my laptop has Norton Firewall installed,
can this interfere with the $HTTP_REFERER variable and if so is there a more
reliable alternative?
 

Many firewalls and proxies can filter out referer information so it's 
not likely to be reliable. Referer details can also be forged.

Thanks for your help
 


--
Raditha Dissanayake.

http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] $HTTP_REFERER

2004-08-05 Thread Jason Davidson
Its possible norton firewall OR your browser is altering the headers. 
how are you redirecting, norton may not allow for some kind of
redirects either.  Try turning norton off, and visiting the page :)  

Jason

"Shaun" <[EMAIL PROTECTED]> wrote: 
> 
> Hi,
> 
> I seem to have problems redirecting pages when I view my site using my
> laptop, the only difference is that my laptop has Norton Firewall installed,
> can this interfere with the $HTTP_REFERER variable and if so is there a more
> reliable alternative?
> 
> Thanks for your help
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] $HTTP_REFERER

2004-08-05 Thread Shaun
Hi,

I seem to have problems redirecting pages when I view my site using my
laptop, the only difference is that my laptop has Norton Firewall installed,
can this interfere with the $HTTP_REFERER variable and if so is there a more
reliable alternative?

Thanks for your help

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER

2004-06-04 Thread Steve Douville
lmao -- uh huh

Problem was that I was using a javascript redirect and of course, that
doesn't send any value. Found that out just a minute ago. New the stupid
variable existed...

Think I'll grab the info in js and then redirect it to the php page as part
of the query string.

Thanks,
Steve

- Original Message - 
From: "John Nichel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 04, 2004 2:51 PM
Subject: Re: [PHP] HTTP_REFERER


> Steve Douville wrote:
> > I think I'm having a major brain fart here. Is there a $HTTP_REFERER
> > anymore? It doesn't show up as a server variable or anything at all in
> > phpinfo()... using php 4.3.4
> > 
> > Ideas?
> > 
> > TIA,
> > Steve
> > 
> 
> It has to be set to show up.
> 
> -- 
> John C. Nichel
> KegWorks.com
> 716.856.9675
> [EMAIL PROTECTED]
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> 
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER

2004-06-04 Thread John Nichel
Steve Douville wrote:
I think I'm having a major brain fart here. Is there a $HTTP_REFERER
anymore? It doesn't show up as a server variable or anything at all in
phpinfo()... using php 4.3.4
Ideas?
TIA,
Steve
It has to be set to show up.
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[PHP] HTTP_REFERER

2004-06-04 Thread Steve Douville
I think I'm having a major brain fart here. Is there a $HTTP_REFERER
anymore? It doesn't show up as a server variable or anything at all in
phpinfo()... using php 4.3.4

Ideas?

TIA,
Steve


Re: [PHP] HTTP_REFERER ... ?

2004-05-06 Thread John Nichel
Curt Zirzow wrote:
I guess soon firewall's are going to be pouring you cups of coffee
when it gets empty.
Curt
I hope they offer a Mt. Dew patch. ;)
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread Curt Zirzow
* Thus wrote Pablo Gosse ([EMAIL PROTECTED]):
> John Nichel wrote:
> > [EMAIL PROTECTED] wrote:
> >> Sadly, I get nothing...
> >> the other server I'm talking to is owned by our company, it's a
> >> Lotus Domino server... so in theory, they'll be able to enable this
> >> variable to be passed? 
> > 
> > I can never remember one day to the other which it is, but I _think_
> > it's the browser which sets/sends the REFERER, not the referring
> > server. 
> 
> You should avoid using HTTP_REFERER if at all possible.  I found out the
> hard way that some firewalls will change HTTP_REFERER to HTTP_WEFERER,
> obfuscate it some other way, or just not set it.  This can also be done
> by the browser in some cases.

I guess soon firewall's are going to be pouring you cups of coffee
when it gets empty.


Curt
-- 
"I used to think I was indecisive, but now I'm not so sure."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread John Nichel
John W. Holmes wrote:
From: "Pablo Gosse" <[EMAIL PROTECTED]>
The following is quoted from a previous post by Chris Shifflet:
"Referer is just as easy to spoof as the form data you're expecting."

wait, wait, wait... we CAN'T trust form data? Crap...
---John Holmes...
Maybe we CAN trust form data if we DON'T trust Chris. ;)
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread John W. Holmes
From: "Pablo Gosse" <[EMAIL PROTECTED]>

> The following is quoted from a previous post by Chris Shifflet:
> 
> "Referer is just as easy to spoof as the form data you're expecting."

wait, wait, wait... we CAN'T trust form data? Crap...

---John Holmes...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] HTTP_REFERER ... ? OT

2004-05-05 Thread Jay Blanchard
[snip]
some firewalls will change HTTP_REFERER to HTTP_WEFERER
[/snip]

That is not a firewall munge, that would be Elmer Fudd's server!

ROFLMFAO! 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread Pablo Gosse
John Nichel wrote:
> [EMAIL PROTECTED] wrote:
>> Sadly, I get nothing...
>> the other server I'm talking to is owned by our company, it's a
>> Lotus Domino server... so in theory, they'll be able to enable this
>> variable to be passed? 
> 
> I can never remember one day to the other which it is, but I _think_
> it's the browser which sets/sends the REFERER, not the referring
> server. 
> 
> --
> John C. Nichel
> KegWorks.com
> 716.856.9675
> [EMAIL PROTECTED]

You should avoid using HTTP_REFERER if at all possible.  I found out the
hard way that some firewalls will change HTTP_REFERER to HTTP_WEFERER,
obfuscate it some other way, or just not set it.  This can also be done
by the browser in some cases.

The following is quoted from a previous post by Chris Shifflet:

"Referer is just as easy to spoof as the form data you're expecting."

HTH.

Pablo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread John Nichel
[EMAIL PROTECTED] wrote:
Sadly, I get nothing...
the other server I'm talking to is owned by our company, it's a Lotus 
Domino server...
so in theory, they'll be able to enable this variable to be passed?
I can never remember one day to the other which it is, but I _think_ 
it's the browser which sets/sends the REFERER, not the referring server.

--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread Tristan . Pretty
Sadly, I get nothing...
the other server I'm talking to is owned by our company, it's a Lotus 
Domino server...
so in theory, they'll be able to enable this variable to be passed?





John Nichel <[EMAIL PROTECTED]> 
05/05/2004 17:07

To
[EMAIL PROTECTED]
cc

Subject
Re: [PHP] HTTP_REFERER ... ?






[EMAIL PROTECTED] wrote:
> if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
> // Stuff
> }
> 
> Now why does this not work?
> I wanna asign varibales based on certain referers...
> but this is not working?
> 
> Any ideas why?

What do you get when you echo out $_SERVER['HTTP_REFERER']?

-- 
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





*
The information contained in this e-mail message is intended only for 
the personal and confidential use of the recipient(s) named above.  
If the reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are hereby 
notified that you have received this document in error and that any
review, dissemination, distribution, or copying of this message is 
strictly prohibited. If you have received this communication in error, 
please notify us immediately by e-mail, and delete the original message.
***

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread John Nichel
[EMAIL PROTECTED] wrote:
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}
Now why does this not work?
I wanna asign varibales based on certain referers...
but this is not working?
Any ideas why?
What do you get when you echo out $_SERVER['HTTP_REFERER']?
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread Daniel Clark
I found this in the manual:

HTTP_REFERER'

The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will set
this, and some provide the ability to modify HTTP_REFERER as a feature. In
short, it cannot really be trusted.

> if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
> // Stuff
> }
>
> Now why does this not work?
> I wanna asign varibales based on certain referers...
> but this is not working?
>
> Any ideas why?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] HTTP_REFERER ... ?

2004-05-05 Thread Jay Blanchard
[snip]
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}

Now why does this not work?
[/snip]

Have you echo'd $_SERVER['HTTP_REFERER'] ?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] HTTP_REFERER ... ?

2004-05-05 Thread Tristan . Pretty
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}

Now why does this not work?
I wanna asign varibales based on certain referers...
but this is not working?

Any ideas why?

*
The information contained in this e-mail message is intended only for 
the personal and confidential use of the recipient(s) named above.  
If the reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are hereby 
notified that you have received this document in error and that any
review, dissemination, distribution, or copying of this message is 
strictly prohibited. If you have received this communication in error, 
please notify us immediately by e-mail, and delete the original message.
***

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_Referer

2003-11-10 Thread Chris Shiflett
--- Josephin Tauschinger <[EMAIL PROTECTED]>
wrote:
> Thank you Chris!

No problem. :-)

> What I did was exactly what Pablo Gosse proposed and, as you stated,
> it didn't work:
> 
> 
> Do you know how I can get my webserver (Apache/Unix) to parse html
> files for php-scripts?

Yes, this can be done, but are you sure this is what you want to do? There
are advantages and disadvantages to both. For example, if you have a lot
of HTML files, and you tell Apache to treat them as PHP, there will be
some work that Apache does for no reason. On the other hand, some people
prefer to hide what server-side technologies (such as PHP) that they are
using.

If this is really what you want to do, try adding this to httpd.conf:

AddType application/x-httpd-php .html

Then restart your Web server. Alternatively, just use a .php extension for
PHP scripts. It is likely that your Web server already knows what to do
with these.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_Referer

2003-11-06 Thread Chris Shiflett
--- Josephin <[EMAIL PROTECTED]> wrote:
> am a newbie as of yesterday.

Welcome!

> Can't figure out how to get the $HTTP_Referer (own domain) of the page
> entering my form (html), convert it into a variable which is later
> passed on to my formmailer.php for the $subject variable.
> 
> xy.html --->form.html-->formmailer.php
> 
> want the $HTTP_Referer or  HTTP_URI, file only, (of xy.html)
> -->to be forwarded to form.html,
> -->to be converted in a variable,
> -->which is passed on to formmailer.php, which will use it as "subject".

Well, in PHP, you can use $_SERVER['HTTP_REFERER']. However, unless your
Web server is configured to treat form.html as a PHP script (which I
seriously doubt is the case), you will not have access to this information
at that point. So, you can't do what you're describing wihout the original
POST request (xy.html -> form.html) being to a PHP resource rather than an
HTML one.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] $HTTP_Referer

2003-11-06 Thread Pablo Gosse
On Thursday, November 06, 2003 10:31 AM, Josephin wrote:


xy.html --->form.html-->formmailer.php

want the $HTTP_Referer or  HTTP_URI, file only, (of xy.html)
-->to be forwarded to form.html,
-->to be converted in a variable,
-->which is passed on to formmailer.php, which will use it as "subject".


Hi Josephin.

Simply use $_SERVER['HTTP_REFERER'] to populate a hidden field in your
form.

So,



Cheers,
Pablo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] $HTTP_Referer

2003-11-06 Thread Josephin
Hi,

am a newbie as of yesterday.
Can't figure out how to get the $HTTP_Referer (own domain) of the page
entering my form (html), convert it into a variable which is later passed on
to my formmailer.php for the $subject variable.

xy.html --->form.html-->formmailer.php

want the $HTTP_Referer or  HTTP_URI, file only, (of xy.html)
-->to be forwarded to form.html,
-->to be converted in a variable,
-->which is passed on to formmailer.php, which will use it as "subject".

Would appreciate your know-how!
Jo

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] HTTP_REFERER

2003-09-11 Thread Louie Miranda
Does php support this? HTTP_REFERER
or simply cgi and ssi only?

-
Louie

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] $HTTP_REFERER / Hijacking

2003-09-06 Thread Curt Zirzow
* Thus wrote John Taylor-Johnston ([EMAIL PROTECTED]):
> 
> The problem is I noticed a friend was getting the hijacking message.
> I had him clean his cache and reload, but no luck.
> 
> I wondered why he got that message, so I echoed $HTTP_REFERER to see what his IE6.x 
> was spewing out. The result was:
> 
> $HTTP_REFERER =""
> 
> Anyone suggest a work around? Another variable maybe? I don't need it, but want that 
> functionality in this counter:
> if(stristr($HTTP_REFERER,"district"))


> 
> I do need this fucntionality, however, on another site, where two URLS share the 
> same index.html on the same Apache server. One displays info one way for one URL, 
> the other another way for a different URL.

The referer isn't gaurenteed to be there, and there really isn't a
way around the problem.  

Ideally, if it's possible, have the user use a server side include instead
of javascript.  that will gaurentee no hijacking and also the
counter still will get displayed even if the end-user has javascript
off.

Either way keep the referrer checking in there, most people have
that setting on so only a select few wouldn't get counted.


Curt
-- 
"I used to think I was indecisive, but now I'm not so sure."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] $HTTP_REFERER / Hijacking

2003-09-06 Thread John Taylor-Johnston
This is kind of old-fashioned, but I created a counter that prevents hijacking.
"district" is a partial of the word in the URL. If it does not exist, echoes hijacking 
...

snip---
if(stristr($HTTP_REFERER,"district"))
{
#...
#echo "document.write(\"$num_rows visitors since August 23, 2003\");";
echo "document.write(\"$num_rows visitors since August 23, 2003 referred 
from: $HTTP_REFERER\");";
}else{
echo "document.write(\"No hijacking from ".$_ENV["HOSTNAME"].", merci. \");";
}
snip---

The problem is I noticed a friend was getting the hijacking message.
I had him clean his cache and reload, but no luck.

I wondered why he got that message, so I echoed $HTTP_REFERER to see what his IE6.x 
was spewing out. The result was:

$HTTP_REFERER =""

Anyone suggest a work around? Another variable maybe? I don't need it, but want that 
functionality in this counter:
if(stristr($HTTP_REFERER,"district"))

I do need this fucntionality, however, on another site, where two URLS share the same 
index.html on the same Apache server. One displays info one way for one URL, the other 
another way for a different URL.

P.S., I'm using the Javascript document.write because this site is not on a PHP 
server, so I used this code to help the non-PHP site out:


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER reliability

2003-03-16 Thread Leif K-Brooks
Anyone can send any referer (sic) header to your script.  It shouldn't 
be used for checking if someone is trying to hack the script, but it 
should be find in your case.

rotsky wrote:

I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here.
If the user enters valid login details, the session vars are set and they
are bounced automatically back to the original page - which is fab. But the
manual says that HTTP_REFERER is unreliable, so I'm intrigued to know
exactly what the problems are. Any ideas?


 

--
The above message is encrypted with double rot13 encoding.  Any unauthorized attempt 
to decrypt it will be prosecuted to the full extent of the law.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER reliability

2003-03-16 Thread Marek Kilimajer
As you are already using sessions, you can store the original page in a 
session variable

rotsky wrote:

I have a small login form on the home page of my site. At the moment, when
people enter their user details and hit 'send', they go to another page
which check their details and, if they are successful, prints a welcome
message. The problem is, they are now on this page and have to work their
way back to the home page. I can provide a link for this, of course, but
that limits the number of pages that can have such a login panel, because I
have to hand-code the return link.
I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here.
If the user enters valid login details, the session vars are set and they
are bounced automatically back to the original page - which is fab. But the
manual says that HTTP_REFERER is unreliable, so I'm intrigued to know
exactly what the problems are. Any ideas?


 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] HTTP_REFERER reliability

2003-03-16 Thread Dan Hardiker

> But the manual says that HTTP_REFERER is unreliable, so I'm
> intrigued to know exactly what the problems are. Any ideas?

The HTTP_REFERER field is retrieved from the "HTTP Referer:" header as
used in the HTTP protocol. This field is set entirely by the client
browser / application retrieving the data. There is nothing to stop the
client from adding malformed, incorrect or spoof data into this field -
and thus possibly faking entry to the data you are protecting.

You cannot rely on this field to be accurate, correct or even populated.


-- 
Dan Hardiker [EMAIL PROTECTED]
ADAM Software & Systems Engineer
First Creative


-- 
Dan Hardiker [EMAIL PROTECTED]
ADAM Software & Systems Engineer
First Creative



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] HTTP_REFERER reliability

2003-03-16 Thread rotsky
I have a small login form on the home page of my site. At the moment, when
people enter their user details and hit 'send', they go to another page
which check their details and, if they are successful, prints a welcome
message. The problem is, they are now on this page and have to work their
way back to the home page. I can provide a link for this, of course, but
that limits the number of pages that can have such a login panel, because I
have to hand-code the return link.

I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here.
If the user enters valid login details, the session vars are set and they
are bounced automatically back to the original page - which is fab. But the
manual says that HTTP_REFERER is unreliable, so I'm intrigued to know
exactly what the problems are. Any ideas?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Don Read

On 10-Mar-2003 Tom Woody wrote:
> I am working on a simple authentication script, where the user submits a
> login and password, the credentials are checked and the user is
> redirected to another script.  The new script checks the HTTP_REFERER
> and if its the original script it continues, otherwise it stops with a
> message about being unauthorized.
> 
> What kind of security implications may I be backing myself into?  I want
> to try and stay away from cookies, and as small as this is I think
> Session management is a little overkill.  The average user isn't going
> to spend much more than 1 or 2 minutes on the site (not much for them to
> see or do).  I have seen this method used on other sites, but I prefer
> to check with the experts first.
> 

If they use a proxy that doesn't send HTTP_REFERER, It'll break things. 
My numbers say it happens about about 15% of the time:

mysql> select count(*) from hit where urlid=0;
+--+
| count(*) |
+--+
|83082 |
+--+
1 row in set (0.53 sec)

mysql> select count(*) from hit;
+--+
| count(*) |
+--+
|   541557 |
+--+
1 row in set (0.00 sec)


Since you don't want to use sessions, maybe 401 WWW-authenticate method
would work better for your application.

Regards,
-- 
Don Read   [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to 
   steal the neighbor's newspaper, that's the time to do it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Kevin Stone
- Original Message -
From: "Tom Woody" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 10, 2003 9:53 AM
Subject: [PHP] HTTP_REFERER security implications?


> I am working on a simple authentication script, where the user submits a
> login and password, the credentials are checked and the user is
> redirected to another script.  The new script checks the HTTP_REFERER
> and if its the original script it continues, otherwise it stops with a
> message about being unauthorized.
>
> What kind of security implications may I be backing myself into?  I want
> to try and stay away from cookies, and as small as this is I think
> Session management is a little overkill.  The average user isn't going
> to spend much more than 1 or 2 minutes on the site (not much for them to
> see or do).  I have seen this method used on other sites, but I prefer
> to check with the experts first.
>
> thanks,
>
> --
> Tom

Yes I have read that the HTTP_REFERER can easily be faked by controlling the
name on a proxyserver (although I have never done so myself).  Once set up
all you have to do is post through an idential form and voila, you're in.  A
good analogy of the level of security we're talking about is a common door
lock... enough to keep out the casual individual but a thiefe can enter with
little or no trouble.  And isn't it the thieves you're worried about?
-Kevin



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP] HTTP_REFERER security implications?

2003-03-10 Thread Tom Woody
I am working on a simple authentication script, where the user submits a
login and password, the credentials are checked and the user is
redirected to another script.  The new script checks the HTTP_REFERER
and if its the original script it continues, otherwise it stops with a
message about being unauthorized.

What kind of security implications may I be backing myself into?  I want
to try and stay away from cookies, and as small as this is I think
Session management is a little overkill.  The average user isn't going
to spend much more than 1 or 2 minutes on the site (not much for them to
see or do).  I have seen this method used on other sites, but I prefer
to check with the experts first.

thanks,

-- 
Tom

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER work without a problem....

2003-01-16 Thread Scott Fletcher
IP address is not an effective solution.  Anyone can use a 2nd browser on
the same machine.  Also, if for a company with 1000 machine behind the
firewall, they all get one and the same IP address outside the firewall.


"Kevin Stone" <[EMAIL PROTECTED]> wrote in message
00a701c2bcdd$316349a0$6601a8c0@kevin">news:00a701c2bcdd$316349a0$6601a8c0@kevin...
> You can never fully rely on any information given to you by the browser.
> You can't rely it being accurate or even being there at all.  What I
suggest
> to you is code a solution around the IP address.  The IP address of
course,
> like any information coming from the client, can be tampered with but more
> than likely it's not going to change while the user is browsing your
> website.  Right?  So you just use it as a temporary ID.  Log the IP to the
> database, track the IP's movements on your website, log those actions to a
> database.  That's the best way to do it without having to force the user
to
> login.  If you're concerned about people browsing from network IP then
code
> a solution using Sessions and track the session id.  And finally if you
need
> to know that a client has 'returned' to your website set a cookie on their
> computer.  I'm sure you'll find ways to elaborate from there.  You can do
> all of this without requiring the user to "login".
> -Kevin
>
> - Original Message -
> From: "Scott Fletcher" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, January 15, 2003 2:07 PM
> Subject: Re: [PHP] HTTP_REFERER work without a problem
>
>
> > It's not a PHP bug.  Many PHP programmer tried to their best to use
> > HTTP_REFERER so they can keep track of which webpages on the current
> website
> > did the user last visited.  That way, they can keep out the unauthorized
> > access to the website without first logging in to the website.
> >
> > Well, my company's website use both SSL and Session ID.  They are good
for
> > starter but they aren't any secure if anyone can make a direct access
> > without logging in.  That's where I use HTTP_REFERER to see what last
page
> > did he or she visited, if the last page being visited is outside of my
> > company's website then php moved the end user to the login page.  It is
> > pretty effective.
> >
> > The common problem with the browsers is that they aren't compactible so
> > HTTP_REFERER don't alway work right and sometime return a blank if those
> > three are being used.  I had been observing it for a few years.  Those
> three
> > are  1) HierMenus, 2) location.replace('') and 3) location.href=''.
When
> > either one of these are in use, some browsers return with a blank in
> > HTTP_REFERER.
> >
> > Cheers
> >
> > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > > > Here's what I found so interesting
> > > >
> > > > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > > > problem when I use the latest Mozilla build. It even work
> > > > with the HierMenus,
> > > location.replace('http://whatever.com'),
> > > > and location.href = http://whatever.com...
> > > >
> > > > This is a good news for PHP everywhere.
> > > >
> > > > Unfortunately, Internet Explorer still have this
> > > > bug...
> > >
> > > What bug is that?
> > >
> > > Is there a question here somewhere? I think I am having a
> > > hard time interpreting it.
> > >
> > > Chris
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-16 Thread Jason Wong
On Thursday 16 January 2003 05:38, Scott Fletcher wrote:
> Or worse, not substituting the characters in the Session ID.  Just use the
> same Session ID.  What if there is leftover session file in the /tmp
> directory of the Unix machine and we're dealing with hundred of users each
> day.  Some of those session files aren't deleted because the user just
> closed the browser without logging out.  It is unfortunate that there is no
> better solution to this.

I've been sort of following this thread and as I understand it you're trying 
to use HTTP_REFERER to ascertain whether a user has 'logged in'? IE if 
HTTP_REFERER isn't the login page then they haven't 'logged in'? 

If that is the case then you should know that this provides no security at 
all.

Use a proper authentication system based on sessions.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
If Robert Di Niro assassinates Walter Slezak, will Jodie Foster marry Bonzo??
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: Fw: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Kevin Stone
Chris I appreciate your response but please read my post again.  I did not
suggest using the IP for user identification.  I suggested using it as a
temporary id.  I went on further to suggest to use sessions to identify
individual users behind a proxy server.
-Kevin


- Original Message -
From: "Chris Shiflett" <[EMAIL PROTECTED]>
To: "Kevin Stone" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 15, 2003 2:37 PM
Subject: Re: Fw: [PHP] HTTP_REFERER work without a problem


> --- Kevin Stone <[EMAIL PROTECTED]> wrote:
> > What I suggest to you is code a solution around the IP
> > address. The IP address of course, like any information
> > coming from the client, can be tampered with but more
> > than likely it's not going to change while the user is
> > browsing your website. Right?
>
> Sorry to disagree, but this is incorrect. The IP address is
> a terrible metric for client identification. I mean, it is
> absolutely terrible.
>
> Yes, it is easier for a potential attacker to spoof
> information at the HTTP level than the TCP/IP level, but
> that is no defense.
>
> More (most?) importantly, there are two situations where
> you will run into trouble with legitimate users who are
> just trying to use your site:
>
> 1. The users are behind an HTTP proxy, which is a very
> popular configuration for business environments. Thus, the
> IP address will be that of the HTTP proxy, not the client.
> Many people will appear to be the same person.
>
> 2. The users are behind a round-robin HTTP proxy, such as
> all AOL users (a large number of Web users). One person can
> appear to be many different people.
>
> Anyway, I hated to let that one go. Again, sorry to
> disagree, but relying on an IP address for client
> identification can lead to some very frustrating problems
> for inexperienced developers.
>
> Chris
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
Here's one way I can do, I checked the session id in the HTTP_REFERER and
grab the existing session id in the database table.  This is still not an
effective method.

"Christoph Grottolo" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Chris Shiflett) wrote:
>
> >--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> >> Many PHP programmer tried to their best to use
> >> HTTP_REFERER so they can keep track of which
> >> webpages on the current website did the user
> >> last visited.
> >
> >I think I see what you are referring to now.
> >
> >The reason that many people (myself included) discourage
> >the use of REFERER for this purpose is not only because
> >support is inconsistent, but also because it is not
> >required that a Web client send this header. In fact, the
> >only required header in the latest version of HTTP (1.1) is
> >the Host header. So, it really boils down to not depending
> >on something that is not guaranteed to be there.
>
> It even dangerous to rely on HTTP_REFERER because it's not under your
> control. The client could set the HTTP headers itself (e.g. a php
> script using CURL, www.php.net/curl). You should at least combine the
> REFERER check with a valid session on your host or look for a
> corresponding log entry or something alike.
>
> Christoph



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
I understand.  To combine the Session Id with HTTP_REFERER sound good but it
didn't work too well.  I'm still open to idea...   :-)   Fortunately, not
many people know it because it is done behind the scene, so they'll have a
lot more to guess about what's working behind the scene.



"Christoph Grottolo" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Chris Shiflett) wrote:
>
> >--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> >> Many PHP programmer tried to their best to use
> >> HTTP_REFERER so they can keep track of which
> >> webpages on the current website did the user
> >> last visited.
> >
> >I think I see what you are referring to now.
> >
> >The reason that many people (myself included) discourage
> >the use of REFERER for this purpose is not only because
> >support is inconsistent, but also because it is not
> >required that a Web client send this header. In fact, the
> >only required header in the latest version of HTTP (1.1) is
> >the Host header. So, it really boils down to not depending
> >on something that is not guaranteed to be there.
>
> It even dangerous to rely on HTTP_REFERER because it's not under your
> control. The client could set the HTTP headers itself (e.g. a php
> script using CURL, www.php.net/curl). You should at least combine the
> REFERER check with a valid session on your host or look for a
> corresponding log entry or something alike.
>
> Christoph



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
That sound wonderful!!!  I'm looking forward to hearing about this in the
near future...

Thanks,
 Scott F.

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > Or worse, not substituting the characters in the
> > Session ID. Just use the same Session ID. What if
> > there is leftover session file in the /tmp
> > directory of the Unix machine and we're dealing
> > with hundred of users each day. Some of those
> > session files aren't deleted because the user
> > just closed the browser without logging out. It
> > is unfortunate that there is no better solution to
> > this.
>
> Actually, there is a better solution.
>
> Your observations are perfectly valid and correct. If the
> session ID is given complete trust (which is the case for
> many people, unfortunately, especially with the default
> configuration for sessions), then there are many security
> risks. Given your observations, I think you are on the
> right track to developing more secure state and session
> management mechanisms yourself.
>
> I am actually considering submitting a proposal to speak
> about this topic (well, Web application security with PHP
> in general) at OSCON and perhaps the PHP Conference coming
> in May. The reason that many people are hesitant to offer
> solutions is because no solution is perfectly secure. There
> are, however, many reliable methods you can use that will
> not adversely affect your legitimate users in any way and
> make life a bit harder for the bad guys.
>
> A common example I give just to get you going is that you
> can store the user agent in a session variable. While all
> Web clients may not send the User-Agent header, you can be
> assured that those that do will send the same User-Agent
> header for every request. Verifying this against the
> session variable can at least prevent the copy/paste from
> an email attack that you mentioned unless the attacker
> replicates the exact same User-Agent header.
>
> Anyway, you have very valid points. Hopefully I will get
> the chance to speak about this in more depth at a
> conference soon, and if not, I will probably at least write
> an article on it.
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Chris Shiflett
--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> Or worse, not substituting the characters in the
> Session ID. Just use the same Session ID. What if
> there is leftover session file in the /tmp
> directory of the Unix machine and we're dealing
> with hundred of users each day. Some of those
> session files aren't deleted because the user
> just closed the browser without logging out. It
> is unfortunate that there is no better solution to
> this.

Actually, there is a better solution.

Your observations are perfectly valid and correct. If the
session ID is given complete trust (which is the case for
many people, unfortunately, especially with the default
configuration for sessions), then there are many security
risks. Given your observations, I think you are on the
right track to developing more secure state and session
management mechanisms yourself.

I am actually considering submitting a proposal to speak
about this topic (well, Web application security with PHP
in general) at OSCON and perhaps the PHP Conference coming
in May. The reason that many people are hesitant to offer
solutions is because no solution is perfectly secure. There
are, however, many reliable methods you can use that will
not adversely affect your legitimate users in any way and
make life a bit harder for the bad guys.

A common example I give just to get you going is that you
can store the user agent in a session variable. While all
Web clients may not send the User-Agent header, you can be
assured that those that do will send the same User-Agent
header for every request. Verifying this against the
session variable can at least prevent the copy/paste from
an email attack that you mentioned unless the attacker
replicates the exact same User-Agent header.

Anyway, you have very valid points. Hopefully I will get
the chance to speak about this in more depth at a
conference soon, and if not, I will probably at least write
an article on it.

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Christoph Grottolo
[EMAIL PROTECTED] (Chris Shiflett) wrote:

>--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
>> Many PHP programmer tried to their best to use
>> HTTP_REFERER so they can keep track of which
>> webpages on the current website did the user
>> last visited.
>
>I think I see what you are referring to now.
>
>The reason that many people (myself included) discourage
>the use of REFERER for this purpose is not only because
>support is inconsistent, but also because it is not
>required that a Web client send this header. In fact, the
>only required header in the latest version of HTTP (1.1) is
>the Host header. So, it really boils down to not depending
>on something that is not guaranteed to be there.

It even dangerous to rely on HTTP_REFERER because it's not under your
control. The client could set the HTTP headers itself (e.g. a php
script using CURL, www.php.net/curl). You should at least combine the
REFERER check with a valid session on your host or look for a
corresponding log entry or something alike.

Christoph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: Fw: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Chris Shiflett
--- Kevin Stone <[EMAIL PROTECTED]> wrote:
> What I suggest to you is code a solution around the IP
> address. The IP address of course, like any information
> coming from the client, can be tampered with but more
> than likely it's not going to change while the user is
> browsing your website. Right?

Sorry to disagree, but this is incorrect. The IP address is
a terrible metric for client identification. I mean, it is
absolutely terrible.

Yes, it is easier for a potential attacker to spoof
information at the HTTP level than the TCP/IP level, but
that is no defense.

More (most?) importantly, there are two situations where
you will run into trouble with legitimate users who are
just trying to use your site:

1. The users are behind an HTTP proxy, which is a very
popular configuration for business environments. Thus, the
IP address will be that of the HTTP proxy, not the client.
Many people will appear to be the same person.

2. The users are behind a round-robin HTTP proxy, such as
all AOL users (a large number of Web users). One person can
appear to be many different people.

Anyway, I hated to let that one go. Again, sorry to
disagree, but relying on an IP address for client
identification can lead to some very frustrating problems
for inexperienced developers.

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
Or worse, not substituting the characters in the Session ID.  Just use the
same Session ID.  What if there is leftover session file in the /tmp
directory of the Unix machine and we're dealing with hundred of users each
day.  Some of those session files aren't deleted because the user just
closed the browser without logging out.  It is unfortunate that there is no
better solution to this.

"Scott Fletcher" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> That wouldn't work if there is already a Session ID, so that's where
> HTTP_REFERER come into play.
>
> Try it out by logging to any webpages with Session ID.  Then copy the URL
> address with the Session ID already there.  Paste it into an email and
send
> it to a different computer.  On the new computer, substitute a couple of
> alpha-numeric characters with a different one.  Like replace any of the 5
> characters with a different 5 characters.  Finally, copy the URL address
> with the alter Session ID and paste it into the URL address of a browser
and
> press enter.  You'll find yourself being able to access the website
without
> logging in.  The $_SESSION data would not exist but it gave the hacker
what
> they need to break in and hacker aren't pretty dumb, they can figure out
to
> make it work along the way.
>
> What so ironic is that the SSL can be established anyway.
>
>
> "Paul Roberts" <[EMAIL PROTECTED]> wrote in message
> 021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1...
> try looking at sessions,
>
> if they don't have a login session id send them to the login page
otherwise
> they are logged in so let them see the page.
>
> works for me
>
> Best Wishes & Happy New Year
>
> Paul Roberts
> [EMAIL PROTECTED]
> ++++++++
> - Original Message -
> From: "Scott Fletcher" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, January 15, 2003 9:07 PM
> Subject: Re: [PHP] HTTP_REFERER work without a problem
>
>
> It's not a PHP bug.  Many PHP programmer tried to their best to use
> HTTP_REFERER so they can keep track of which webpages on the current
website
> did the user last visited.  That way, they can keep out the unauthorized
> access to the website without first logging in to the website.
>
> Well, my company's website use both SSL and Session ID.  They are good for
> starter but they aren't any secure if anyone can make a direct access
> without logging in.  That's where I use HTTP_REFERER to see what last page
> did he or she visited, if the last page being visited is outside of my
> company's website then php moved the end user to the login page.  It is
> pretty effective.
>
> The common problem with the browsers is that they aren't compactible so
> HTTP_REFERER don't alway work right and sometime return a blank if those
> three are being used.  I had been observing it for a few years.  Those
three
> are  1) HierMenus, 2) location.replace('') and 3) location.href=''.  When
> either one of these are in use, some browsers return with a blank in
> HTTP_REFERER.
>
> Cheers
>
> "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > > Here's what I found so interesting
> > >
> > > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > > problem when I use the latest Mozilla build. It even work
> > > with the HierMenus,
> > location.replace('http://whatever.com'),
> > > and location.href = http://whatever.com...
> > >
> > > This is a good news for PHP everywhere.
> > >
> > > Unfortunately, Internet Explorer still have this
> > > bug...
> >
> > What bug is that?
> >
> > Is there a question here somewhere? I think I am having a
> > hard time interpreting it.
> >
> > Chris
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
I agree with you on that.  Having something that is reliable is not a bad
idea.  Anyway, this HTTP_REFERER script have been in use for 4 years and we
sometime very little have problem with it.  It the HTTP_REFERER doesn't work
then all the user will experienced is a direct access attempt and be brought
to the login page, it's part of the fail-safe code.  I haven't come up with
an alternative to HTTP_REFERER that work even better than this.  So, better
safe than sorry.  :-)

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > Many PHP programmer tried to their best to use
> > HTTP_REFERER so they can keep track of which
> > webpages on the current website did the user
> > last visited.
>
> I think I see what you are referring to now.
>
> The reason that many people (myself included) discourage
> the use of REFERER for this purpose is not only because
> support is inconsistent, but also because it is not
> required that a Web client send this header. In fact, the
> only required header in the latest version of HTTP (1.1) is
> the Host header. So, it really boils down to not depending
> on something that is not guaranteed to be there.
>
> More reliable solutions usually incorporate some sort of
> shared secret between the client and the server. For
> example, say you have a form located at foo.php that
> submits to bar.php. Rather than checking the REFERER on
> bar.php to make sure it is foo.php, it is better to include
> a hidden form field on foo.php that is dynamically
> generated and stored in the user's session. You can be
> assured that the hidden form field will be included with
> the other form elements, so you can compare it to the value
> stored in the user's session and not run the risk of it
> being absent or blank (for the legitimate user, the good
> guy).
>
> Of course, this is just one example of many, but the point
> is that you need to rely on something that is reliable. :-)
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Fw: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Kevin Stone
You can never fully rely on any information given to you by the browser.
You can't rely it being accurate or even being there at all.  What I suggest
to you is code a solution around the IP address.  The IP address of course,
like any information coming from the client, can be tampered with but more
than likely it's not going to change while the user is browsing your
website.  Right?  So you just use it as a temporary ID.  Log the IP to the
database, track the IP's movements on your website, log those actions to a
database.  That's the best way to do it without having to force the user to
login.  If you're concerned about people browsing from network IP then code
a solution using Sessions and track the session id.  And finally if you need
to know that a client has 'returned' to your website set a cookie on their
computer.  I'm sure you'll find ways to elaborate from there.  You can do
all of this without requiring the user to "login".
-Kevin

- Original Message -
From: "Scott Fletcher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 15, 2003 2:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem


> It's not a PHP bug.  Many PHP programmer tried to their best to use
> HTTP_REFERER so they can keep track of which webpages on the current
website
> did the user last visited.  That way, they can keep out the unauthorized
> access to the website without first logging in to the website.
>
> Well, my company's website use both SSL and Session ID.  They are good for
> starter but they aren't any secure if anyone can make a direct access
> without logging in.  That's where I use HTTP_REFERER to see what last page
> did he or she visited, if the last page being visited is outside of my
> company's website then php moved the end user to the login page.  It is
> pretty effective.
>
> The common problem with the browsers is that they aren't compactible so
> HTTP_REFERER don't alway work right and sometime return a blank if those
> three are being used.  I had been observing it for a few years.  Those
three
> are  1) HierMenus, 2) location.replace('') and 3) location.href=''.  When
> either one of these are in use, some browsers return with a blank in
> HTTP_REFERER.
>
> Cheers
>
> "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > > Here's what I found so interesting
> > >
> > > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > > problem when I use the latest Mozilla build. It even work
> > > with the HierMenus,
> > location.replace('http://whatever.com'),
> > > and location.href = http://whatever.com...
> > >
> > > This is a good news for PHP everywhere.
> > >
> > > Unfortunately, Internet Explorer still have this
> > > bug...
> >
> > What bug is that?
> >
> > Is there a question here somewhere? I think I am having a
> > hard time interpreting it.
> >
> > Chris
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Chris Shiflett
--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> Many PHP programmer tried to their best to use
> HTTP_REFERER so they can keep track of which
> webpages on the current website did the user
> last visited.

I think I see what you are referring to now.

The reason that many people (myself included) discourage
the use of REFERER for this purpose is not only because
support is inconsistent, but also because it is not
required that a Web client send this header. In fact, the
only required header in the latest version of HTTP (1.1) is
the Host header. So, it really boils down to not depending
on something that is not guaranteed to be there.

More reliable solutions usually incorporate some sort of
shared secret between the client and the server. For
example, say you have a form located at foo.php that
submits to bar.php. Rather than checking the REFERER on
bar.php to make sure it is foo.php, it is better to include
a hidden form field on foo.php that is dynamically
generated and stored in the user's session. You can be
assured that the hidden form field will be included with
the other form elements, so you can compare it to the value
stored in the user's session and not run the risk of it
being absent or blank (for the legitimate user, the good
guy).

Of course, this is just one example of many, but the point
is that you need to rely on something that is reliable. :-)

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
That wouldn't work if there is already a Session ID, so that's where
HTTP_REFERER come into play.

Try it out by logging to any webpages with Session ID.  Then copy the URL
address with the Session ID already there.  Paste it into an email and send
it to a different computer.  On the new computer, substitute a couple of
alpha-numeric characters with a different one.  Like replace any of the 5
characters with a different 5 characters.  Finally, copy the URL address
with the alter Session ID and paste it into the URL address of a browser and
press enter.  You'll find yourself being able to access the website without
logging in.  The $_SESSION data would not exist but it gave the hacker what
they need to break in and hacker aren't pretty dumb, they can figure out to
make it work along the way.

What so ironic is that the SSL can be established anyway.


"Paul Roberts" <[EMAIL PROTECTED]> wrote in message
021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1...
try looking at sessions,

if they don't have a login session id send them to the login page otherwise
they are logged in so let them see the page.

works for me

Best Wishes & Happy New Year

Paul Roberts
[EMAIL PROTECTED]

- Original Message -
From: "Scott Fletcher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 15, 2003 9:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem


It's not a PHP bug.  Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current website
did the user last visited.  That way, they can keep out the unauthorized
access to the website without first logging in to the website.

Well, my company's website use both SSL and Session ID.  They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in.  That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page.  It is
pretty effective.

The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used.  I had been observing it for a few years.  Those three
are  1) HierMenus, 2) location.replace('') and 3) location.href=''.  When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.

Cheers

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > Here's what I found so interesting
> >
> > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > problem when I use the latest Mozilla build. It even work
> > with the HierMenus,
> location.replace('http://whatever.com'),
> > and location.href = http://whatever.com...
> >
> > This is a good news for PHP everywhere.
> >
> > Unfortunately, Internet Explorer still have this
> > bug...
>
> What bug is that?
>
> Is there a question here somewhere? I think I am having a
> hard time interpreting it.
>
> Chris



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php






-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Paul Roberts
try looking at sessions, 

if they don't have a login session id send them to the login page otherwise they are 
logged in so let them see the page.

works for me

Best Wishes & Happy New Year

Paul Roberts
[EMAIL PROTECTED]

- Original Message - 
From: "Scott Fletcher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 15, 2003 9:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem


It's not a PHP bug.  Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current website
did the user last visited.  That way, they can keep out the unauthorized
access to the website without first logging in to the website.

Well, my company's website use both SSL and Session ID.  They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in.  That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page.  It is
pretty effective.

The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used.  I had been observing it for a few years.  Those three
are  1) HierMenus, 2) location.replace('') and 3) location.href=''.  When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.

Cheers

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > Here's what I found so interesting
> >
> > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > problem when I use the latest Mozilla build. It even work
> > with the HierMenus,
> location.replace('http://whatever.com'),
> > and location.href = http://whatever.com...
> >
> > This is a good news for PHP everywhere.
> >
> > Unfortunately, Internet Explorer still have this
> > bug...
>
> What bug is that?
>
> Is there a question here somewhere? I think I am having a
> hard time interpreting it.
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
It's not a PHP bug.  Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current website
did the user last visited.  That way, they can keep out the unauthorized
access to the website without first logging in to the website.

Well, my company's website use both SSL and Session ID.  They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in.  That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page.  It is
pretty effective.

The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used.  I had been observing it for a few years.  Those three
are  1) HierMenus, 2) location.replace('') and 3) location.href=''.  When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.

Cheers

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> --- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> > Here's what I found so interesting
> >
> > This code, $_SERVER['HTTP_REFERER'] have worked without a
> > problem when I use the latest Mozilla build. It even work
> > with the HierMenus,
> location.replace('http://whatever.com'),
> > and location.href = http://whatever.com...
> >
> > This is a good news for PHP everywhere.
> >
> > Unfortunately, Internet Explorer still have this
> > bug...
>
> What bug is that?
>
> Is there a question here somewhere? I think I am having a
> hard time interpreting it.
>
> Chris



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Chris Shiflett
--- Scott Fletcher <[EMAIL PROTECTED]> wrote:
> Here's what I found so interesting
> 
> This code, $_SERVER['HTTP_REFERER'] have worked without a
> problem when I use the latest Mozilla build. It even work
> with the HierMenus,
location.replace('http://whatever.com'),
> and location.href = http://whatever.com...
> 
> This is a good news for PHP everywhere.
> 
> Unfortunately, Internet Explorer still have this
> bug...

What bug is that?

Is there a question here somewhere? I think I am having a
hard time interpreting it.

Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] HTTP_REFERER work without a problem....

2003-01-15 Thread Scott Fletcher
Here's what I found so interesting

This code, $_SERVER['HTTP_REFERER'] have worked without a problem when I use
the latest Mozilla build.  It even work with the HierMenus,
location.replace('http://whatever.com'), and location.href =
http://whatever.com...

This is a good news for PHP everywhere.

Unfortunately, Internet Explorer still have this bug...



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] HTTP_REFERER?

2002-08-28 Thread Lon Lentz


  Weird. When I plugged them straight into the query, it worked. Thanks
again for the help. Solved a major problem for me.


-Original Message-
From: listman@evol [mailto:listman@evol]On Behalf Of Keith Vance
Sent: Wednesday, August 28, 2002 10:51 PM
To: Lon Lentz
Subject: RE: [PHP] HTTP_REFERER?


Why not just always use the $_SERVER variable?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] HTTP_REFERER?

2002-08-28 Thread Lon Lentz


  Thanks for the information. I appreciate your help. It works when I just
want to display them in the main page, but the following code continues to
generate empty data in my table.


$larry = $_SERVER['HTTP_REFERER'];
$moe = $_SERVER['QUERY_STRING'];
$curly = $_SERVER['HTTP_USER_AGENT'];
$schep = $_SERVER['REMOTE_ADDR'];


$result2 = mysql_query("insert into referer(path,query,agent,remote)
values('$larry','$moe','$curly','$schep')",$db);



-Original Message-
From: listman@evol [mailto:listman@evol]On Behalf Of Keith Vance
Sent: Wednesday, August 28, 2002 7:51 PM
To: Lon Lentz
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] HTTP_REFERER?


Look at using $_SERVER variable, you can access it anywhere. Do a
print_r($_SERVER) to see the data it holds.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] HTTP_REFERER?

2002-08-28 Thread Lon Lentz


  I have a template which places the value of $HTTP_REFERER into a table.
This template is included in another template which is included in yet
another template. The problem I am having is that the HTTP_REFERER,
HTTP_USER_AGENT, and QUERY_STRING variables are all blank.

  Are there issues with these values across included templates? I would
imagine not. Are there settings for Apache that impact these?

  I am running Apache on Linux.



__
Lon Lentz
Applications Developer
EXImpact.com



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER

2002-03-25 Thread Erik Price


On Monday, March 25, 2002, at 02:52  PM, tom hilton wrote:

>  This is working fine for most users, but one user is telling me that 
> even
> though she is following the link from the index page, she's still 
> getting
> the error message,  and are being bounced back to the index page.  She 
> is
> using Internet Explorer 6.0.  Are there any security or privacy settings
> that might restrict use of the $HTTP_REFERER variable?  Or is there a 
> better
> way to make sure users follow links to pages, rather than bookmarking 
> and
> going straight to a page?  Thanks for any help you can give me.

I'm not sure about Internet Explorer 6's use of HTTP headers, but the 
"referer" header in the HTTP protocol is not required by any user 
agent.  Legally, IE6 can choose not to send it, and still be in complete 
compliance with HTTP.

There may not be an easy way to do what you want.  One possible solution 
is to make the typical "calls itself" PHP page and display certain 
content based on certain variables being present, and use POST variables 
so that they do not appear in the URL.  The problem with this is that it 
requires a ton of code to "wrap" your content in the 'protective' 
index.html layer, and also you would have to use form buttons rather 
than hyperlinks (unless you used post_to_host(), see archives if you're 
not sure what I mean).


Erik






Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER

2002-03-25 Thread Dan Harrelson

Have you checked that your user is indeed coming from
"http://www.somedomain.com/index.html";?  There are lots of other ways
to load your homepage:

"http://xxx.xxx.xxx.xxx/index.html"; (ip address, not domain)
"http://www.somedomain.com/";
"http://www.somedomain.com";
"http://xxx.xxx.xxx.xxx";
"http://xxx.xxx.xxx.xxx/";

You'll have to check for all of them

-Dan


--- tom hilton <[EMAIL PROTECTED]> wrote:
> Hi, I am using the $HTTP_REFERER variable to ensure that users of a
> website
> are getting to a certain page through a link from the index.html
> page, and
> not going straight to the page through a bookmark.
> 
> $page=$HTTP_REFERER;
> if ($page!="http://www.somedomain.com/index.html";)
>   {
>   echo "Please log in through the home page";
>   echo " CONTENT='1;URL=http://www.somedomain.com/index.html'>";
>   }
>  This is working fine for most users, but one user is telling me that
> even
> though she is following the link from the index page, she's still
> getting
> the error message,  and are being bounced back to the index page. 
> She is
> using Internet Explorer 6.0.  Are there any security or privacy
> settings
> that might restrict use of the $HTTP_REFERER variable?  Or is there a
> better
> way to make sure users follow links to pages, rather than bookmarking
> and
> going straight to a page?  Thanks for any help you can give me.
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


__
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] HTTP_REFERER

2002-03-25 Thread tom hilton

Hi, I am using the $HTTP_REFERER variable to ensure that users of a website
are getting to a certain page through a link from the index.html page, and
not going straight to the page through a bookmark.

$page=$HTTP_REFERER;
if ($page!="http://www.somedomain.com/index.html";)
  {
  echo "Please log in through the home page";
  echo "";
  }
 This is working fine for most users, but one user is telling me that even
though she is following the link from the index page, she's still getting
the error message,  and are being bounced back to the index page.  She is
using Internet Explorer 6.0.  Are there any security or privacy settings
that might restrict use of the $HTTP_REFERER variable?  Or is there a better
way to make sure users follow links to pages, rather than bookmarking and
going straight to a page?  Thanks for any help you can give me.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] http_referer

2002-02-18 Thread Erik Price


In PHP4.1 or later, try:

echo $_SERVER['HTTP_REFERER'];


Erik







Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] http_referer

2002-02-18 Thread Rick Emery


Try accessing the variable:  $HTTP_REFERER
without specifying the array.  it works for me


-Original Message-
From: tom hilton [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 12:25 PM
To: [EMAIL PROTECTED]
Subject: [PHP] http_referer


Hi,

I am trying to pull http_referer info on users accessing a certain page, but
am not having any luck. When I run phpinfo(), the referer information is
listed with all the other server variables, but when I pull a list of the
server variables as an array and print them, they all appear except for the
http_referer variable.  Does anyone have any idea of why this one variable
might not be available as part of the server array, put is accessible by
phpinfo()?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] http_referer

2002-02-18 Thread tom hilton

Hi,

I am trying to pull http_referer info on users accessing a certain page, but
am not having any luck. When I run phpinfo(), the referer information is
listed with all the other server variables, but when I pull a list of the
server variables as an array and print them, they all appear except for the
http_referer variable.  Does anyone have any idea of why this one variable
might not be available as part of the server array, put is accessible by
phpinfo()?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] HTTP_REFERER

2001-11-23 Thread Jim Lucas

at our site, we built the error trapping that you are wanting to build.

here is a snippet of what we used.

  "PSID: (". PSID .")\n".
  "Page: ($GLOBALS[REQUEST_URI])\n".
  "As refered from: ($GLOBALS[HTTP_REFERER])\n".
  "Browser Platform: ($GLOBALS[HTTP_USER_AGENT])\n".
  "User IP: '". gethostbyaddr($GLOBALS[REMOTE_ADDR]) ."'
($GLOBALS[REMOTE_ADDR])\n".

hope this helps

Jim
- Original Message -
From: "Jordan Elver" <[EMAIL PROTECTED]>
To: "PHP General Mailing List" <[EMAIL PROTECTED]>
Sent: Friday, November 23, 2001 2:55 AM
Subject: [PHP] HTTP_REFERER


> Hi,
> I'm writing a 404 handler and in order to report the item that was
requested
> I was trying to get the value of HTTP_REFERER. But, it does seem to get
set.
> Does anyone know how to find thi value? Is there a reason why it would not
> get set?
>
> TIA,
>
> Jord
> --
> Jordan Elver
> Web Developer
> http://www.theinternetone.co.uk
> Carpe Aptenodytes! (Seize the Penguins!)
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] HTTP_REFERER

2001-11-23 Thread Matt Williams

> Hi,
> When I use HTTP_REFERER it gives me the name of the php script which is
> handling the 404's?!
>
> Should that happen?

As someone put in one of the other reply's don't rely on HTTP_REFERER.
This is set (or not) by the browser and they all have different ideas about
they want to play ball with it.

You said you wanted to find the url they were trying to get at.
Use the variable I told you about before to get his

Regards
M:

>
> Jord
>
> On Friday 23 November 2001 11:41, you wrote:
> > > Hi,
> > > I'm writing a 404 handler and in order to report the item that
> > > was requested
> > > I was trying to get the value of HTTP_REFERER. But, it does seem
> > > to get set.
> > > Does anyone know how to find thi value? Is there a reason why it
> > > would not
> > > get set?
> >
> > Hi
> >
> > I think you're looking for this
> >
> > $HTTP_SERVER_VARS["REQUEST_URI"]
> >
> > M:
>
> --
> Jordan Elver
> Web Developer
> http://www.theinternetone.co.uk
> testing? What's that? If it compiles, it is good, if it boots up it is
> perfect. --- Linus Torvalds
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER

2001-11-23 Thread Jordan Elver

Hi,
When I use HTTP_REFERER it gives me the name of the php script which is 
handling the 404's?!

Should that happen?

Jord

On Friday 23 November 2001 11:41, you wrote:
> > Hi,
> > I'm writing a 404 handler and in order to report the item that
> > was requested
> > I was trying to get the value of HTTP_REFERER. But, it does seem
> > to get set.
> > Does anyone know how to find thi value? Is there a reason why it
> > would not
> > get set?
>
> Hi
>
> I think you're looking for this
>
> $HTTP_SERVER_VARS["REQUEST_URI"]
>
> M:

-- 
Jordan Elver
Web Developer
http://www.theinternetone.co.uk
testing? What's that? If it compiles, it is good, if it boots up it is 
perfect. --- Linus Torvalds

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER

2001-11-23 Thread Jordan Elver

On Friday 23 November 2001 13:39, you wrote:
> Are you using it as
>
> $HTTP_SERVER_VARS["REQUEST_URI"]
>
> or
>
> $REQUEST_URI
>
> ?

Well, I think I'm buggered then because i just tried to use both and they 
both report the same value :-(

Back to the drawing board.

> I had the same problem using the latter. The former displays properly.
> Other than that I can't remember if I changed anything else
>
> M:

-- 
Jordan Elver
Web Developer
http://www.theinternetone.co.uk
Unix is not a "A-ha" experience, it is more of a "holy-shit" experience. --- 
Colin McFadyen in alt.folklore.computers

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] HTTP_REFERER

2001-11-23 Thread Matt Williams

> Hi,
> I'm writing a 404 handler and in order to report the item that 
> was requested 
> I was trying to get the value of HTTP_REFERER. But, it does seem 
> to get set. 
> Does anyone know how to find thi value? Is there a reason why it 
> would not 
> get set?
> 

Hi 

I think you're looking for this

$HTTP_SERVER_VARS["REQUEST_URI"]

M:

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER

2001-11-23 Thread Sebastian Wenleder

Hi Jord,

You don't need to get HTTP_REFERER, in order to know what the client 
requested! And every browser stores some other info in HTTP_REFERER...
The filename that was reqested is stored in $REQUEST_URI

Best,
Sebastian

>Hi,
>I'm writing a 404 handler and in order to report the item that was requested
>I was trying to get the value of HTTP_REFERER. But, it does seem to get set.
>Does anyone know how to find thi value? Is there a reason why it would not
>get set?
>
>TIA,

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER

2001-11-23 Thread gaouzief

hi

reasons why it couldn't be set:

the url was typed directly

some browser don't send referer information

other (like opera 5.12) send a wrong value

you shouldn't rely on HTTP_REFERER too much


regards

hassan el forkani
http://WarmAfrica.com

23/11/2001 11:55:04, Jordan Elver <[EMAIL PROTECTED]> wrote:

>Hi,
>I'm writing a 404 handler and in order to report the item that was requested 
>I was trying to get the value of HTTP_REFERER. But, it does seem to get set. 
>Does anyone know how to find thi value? Is there a reason why it would not 
>get set?
>
>TIA,
>
>Jord
>-- 
>Jordan Elver
>Web Developer
>http://www.theinternetone.co.uk
>Carpe Aptenodytes! (Seize the Penguins!)
>
>-- 
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER

2001-11-23 Thread Jordan Elver

Hi,
I'm writing a 404 handler and in order to report the item that was requested 
I was trying to get the value of HTTP_REFERER. But, it does seem to get set. 
Does anyone know how to find thi value? Is there a reason why it would not 
get set?

TIA,

Jord
-- 
Jordan Elver
Web Developer
http://www.theinternetone.co.uk
Carpe Aptenodytes! (Seize the Penguins!)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER

2001-11-21 Thread Peter

Can anyone tell me under what circumstances this is set?  As far as I can
tell it only gets set on clicking an A tag from a referring page, but
shouldn't it also get set if I POST a form from the referring page?  In my
tests this doesn't happen.  I'm tried using PHP 4.05 / 4.06 on Win2K CGI
version.

Any help much appreciated
Peter






-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] $HTTP_REFERER problem

2001-08-22 Thread pekesan

I know that some browsers doesn't gives support to $HTTP_REFERER variable ( 
lynx in example). I am thinking on checking the browser ident (with 
HTTP_USER_AGENT) and managing $HTTP_REFERER as a session var in those cases 
who doesn't give support. But it would be great that if somebody found 
another solution shares it with me.

Thanks in advance , and compaints about my English,

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Jesse Arnett

Hello,

i'm not sure i would worry too much about the referrer.. if your 'add
account' script has decent error checking, it shouldn't matter if the user
creates their own form.

-jesse
--
Jesse Arnett [EMAIL PROTECTED]
SISCOM Inc http://www.siscom.net/
Southern Ohio's Superior Internet Service Provider
Ph: 937.222.8150.413


- Original Message -
From: "Erich Zigler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 17, 2001 12:13 PM
Subject: [PHP] $HTTP_REFERER


> I am working on the last half of an Online Signup page for an ISP.
>
> There is a local .php page on the webserver that actually finalizes the
> addition of the user, but ONLY if $HTTP_REFERER is from a certain host.
>
> I was wondering what you guys think of doing it this way?
>
> Any advice would be appreciated. Thank you.
>
> --
> Erich Zigler
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Rob Hardowa


According to the spec:
$HTTP_REFERER
The address of the page (if any) which referred the browser to the 
current page. This is set by the user's browser; not all browsers will set 
this. 

So if it is set by the user's browser, it can be changed, or shut off. 
I believe there are programs out there that block that env var so people do 
not leave tracks within a site as well. Look at tucows.com for such programs.

Typically, if a user went through 5 pages to sign up and is on the sixth 
page, I wouldn't worry about someone forging that too much.  I'd be more 
worried about referrer not being set and then not allowing them to signup 
because of that.  You can always set a variable like $PAGENUM in your code on 
the second last page and session register it, then check for it on the last 
page.  If it exists, do your thing and destroy the session.  If it does not 
exist, you can take the desired action.  Combine this with the HTTP_REFERER 
and I would think you should be fairly safebut remember, the HTTP_REFERER 
could be empty, whereas the session var should be trusted as it is coming 
from your own site.  

On Friday 17 August 2001 09:34 am, you wrote:
>
> Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can
> the $HTTP_REFERER be forged and thus gaining unauthorized access to the
> forms?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Erich Zigler

On Fri 17 Aug 2001, Nick Davies wrote:

> Probably best to read stuff first ;)
> try preg_match
> preg_match("/^(http:\/\/)?([\/]+)/i", $HTTP_REFERER, $hostname);
> the hostname will be in $hostname[2]
> Hope it helps.

Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can
the $HTTP_REFERER be forged and thus gaining unauthorized access to the
forms?

-- 
Erich Zigler

A sick mind is not necessarily the sign of a neat desk.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Nick Davies


Probably best to read stuff first ;)

try preg_match

preg_match("/^(http:\/\/)?([\/]+)/i", $HTTP_REFERER, $hostname);

the hostname will be in $hostname[2]

Hope it helps.

On Fri, 17 Aug 2001, Nick Davies wrote:

> 
> Sorry missed a bit you'll just need to ereg out the hostname from
> HTTP_REFERER - take everything after http:// and before /...
> 
> Nick.
> 
> On Fri, 17 Aug 2001, Erich Zigler wrote:
> 
> > I am working on the last half of an Online Signup page for an ISP.
> > 
> > There is a local .php page on the webserver that actually finalizes the
> > addition of the user, but ONLY if $HTTP_REFERER is from a certain host. 
> > 
> > I was wondering what you guys think of doing it this way? 
> > 
> > Any advice would be appreciated. Thank you.
> > 
> > 
> 
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Nick Davies


Sorry missed a bit you'll just need to ereg out the hostname from
HTTP_REFERER - take everything after http:// and before /...

Nick.

On Fri, 17 Aug 2001, Erich Zigler wrote:

> I am working on the last half of an Online Signup page for an ISP.
> 
> There is a local .php page on the webserver that actually finalizes the
> addition of the user, but ONLY if $HTTP_REFERER is from a certain host. 
> 
> I was wondering what you guys think of doing it this way? 
> 
> Any advice would be appreciated. Thank you.
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] $HTTP_REFERER

2001-08-17 Thread Nick Davies


like 

if ($HTTP_REFERER == "certain host") {
do finalise code
}




On Fri, 17 Aug 2001, Erich Zigler wrote:

> I am working on the last half of an Online Signup page for an ISP.
> 
> There is a local .php page on the webserver that actually finalizes the
> addition of the user, but ONLY if $HTTP_REFERER is from a certain host. 
> 
> I was wondering what you guys think of doing it this way? 
> 
> Any advice would be appreciated. Thank you.
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] $HTTP_REFERER

2001-08-17 Thread Erich Zigler

I am working on the last half of an Online Signup page for an ISP.

There is a local .php page on the webserver that actually finalizes the
addition of the user, but ONLY if $HTTP_REFERER is from a certain host. 

I was wondering what you guys think of doing it this way? 

Any advice would be appreciated. Thank you.

-- 
Erich Zigler   

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER is missing in SSL

2001-07-27 Thread Ezra Nugroho


>Bug in IE?  PHP doesn't even enter the picture here.  The HTTP_REFERER
>variable is defined by the web server if that information is provided by
>the browser.

No, it's not really a PHP thing, it's more HTML stuff.
I suspect that the error comes because one of the server is not running 
SSL, so IE doesn't pass HTTP_REFERER to it.
I wonder if someone has any authoritative knowledge on this problem.


>Keep in mind that there is absolutely no guarantee that the browser will
>ever provide this information.  Building anything that relies on this is a
>mistake.

Yeah, I know, but this is an outsourced script that I have no controll off.


>-Rasmus


Ezra Nugroho
Web/Database Application Specialist
Goshen College ITS
Phone: (219) 535-7706


"Don't be humble, you're not that great." -- Golda Meir


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER is missing in SSL

2001-07-27 Thread Rasmus Lerdorf

> I have a frameset that runs on a SSL enabled server that has two frames in it.
> One of the source is the local machine and the other one is a (outsourced
> asp !!) script in another machine without SSL.
> The non SSL one requires HTTP_REFERER to make sure it was hit from the
> authorized server.
>
> This works fine with Netscape but not with IE 5. HTTP_REFERER just wasn't
> defined.
>
> Any explanation?

Bug in IE?  PHP doesn't even enter the picture here.  The HTTP_REFERER
variable is defined by the web server if that information is provided by
the browser.

Keep in mind that there is absolutely no guarantee that the browser will
ever provide this information.  Building anything that relies on this is a
mistake.

-Rasmus


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER is missing in SSL

2001-07-27 Thread Ezra Nugroho

I have a frameset that runs on a SSL enabled server that has two frames in it.
One of the source is the local machine and the other one is a (outsourced 
asp !!) script in another machine without SSL.
The non SSL one requires HTTP_REFERER to make sure it was hit from the 
authorized server.

This works fine with Netscape but not with IE 5. HTTP_REFERER just wasn't 
defined.

Any explanation?


Ezra Nugroho
Web/Database Application Specialist
Goshen College ITS
Phone: (219) 535-7706


"Don't be humble, you're not that great." -- Golda Meir


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] $HTTP_REFERER < 10

2001-07-12 Thread Don Read


On 12-Jul-01 Inércia Sensorial wrote:
>   Is it possible?
> 
>   I am writing a recommend script, and I already know that the $HTTP_REFERER
> can come empty or even not set, tested turning off the 'Enable Referer
> Logging' on Opera.
> 
>   But, an invalid $HTTP_REFERER is also one smaller than 10 characters?
> 
>   I believe the smallest referer you can have is 'http://a.jp', for example,
> but I am not sure.
> 
>   Anyone saw a smaller $HTTP_REFERER or have any other ideas to check if it
> is invalid?
> 

What do you mean by valid ? I see these all the time:

'C:'
'cache'
'index'
'C:Temp'
'http:/'
'bookmark'
'index.htm'
'C:WINDOWS'
'bookmarks'

Regards,
-- 
Don Read   [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to 
   steal the neighbor's newspaper, that's the time to do it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] $HTTP_REFERER < 10

2001-07-12 Thread Inércia Sensorial

  Is it possible?

  I am writing a recommend script, and I already know that the $HTTP_REFERER
can come empty or even not set, tested turning off the 'Enable Referer
Logging' on Opera.

  But, an invalid $HTTP_REFERER is also one smaller than 10 characters?

  I believe the smallest referer you can have is 'http://a.jp', for example,
but I am not sure.

  Anyone saw a smaller $HTTP_REFERER or have any other ideas to check if it
is invalid?

--

  Julio Nobrega.

One and One and One is Three



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] HTTP_REFERER doesn't work with redirects...?

2001-02-22 Thread PHPBeginner.com

HTTP_REFERER work ONLY clicking a link which brings you to a page in the
SAME window.
this value comes from your browser and it is very unreliable

Sincerely,

 Maxim Maletsky
 Founder, Chief Developer

 PHPBeginner.com (Where PHP Begins)
 [EMAIL PROTECTED]
 www.phpbeginner.com





-Original Message-
From: Dhaval Desai [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 22, 2001 12:09 AM
To: [EMAIL PROTECTED]
Subject: [PHP] HTTP_REFERER doesn't work with redirects...?


Hi!


I just want to get the URL of the page that is
redirecting to the other page.
For example..

I  have two files
login.php
something.php


Something.php has a line saying:




So When I open Something.php it automatically takes me
to login.php. On the login.php page I have the
following lines




It doesn't seem to work. I think the problem is
because I don't click and go to something.php. I am
getting redirected to the file./ SO is there nay other
way I can get the URL of the file Which is
redirecting.


Thanx a lot

Cheers!~
Dhaval Desai

__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices!
http://auctions.yahoo.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER doesn't work with redirects...?

2001-02-21 Thread Dhaval Desai

Hi!


I just want to get the URL of the page that is
redirecting to the other page.
For example..

I  have two files 
login.php
something.php


Something.php has a line saying:




So When I open Something.php it automatically takes me
to login.php. On the login.php page I have the
following lines




It doesn't seem to work. I think the problem is
because I don't click and go to something.php. I am
getting redirected to the file./ SO is there nay other
way I can get the URL of the file Which is
redirecting.


Thanx a lot

Cheers!~
Dhaval Desai

__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] HTTP_REFERER vs. session_whatever() vs. header()

2001-01-24 Thread Richard Lynch

> //echo $test."";
> "//" .  Without the remark, the code work but I get the error message
> stating 
>
> Warning: Cannot add header information - headers already sent by
(output
> started at test.php) in test.php on line **

Yes.
A header is called a header because it comes out ahead of the actual page
content.

So what your browser *REALLY* sees is stuff like this:

Content-type: text/html
Content-length: 1035
Expiration: Jan 14 2001 20:46:37 GMT
Cookie: user_id "a7fjeju48dj934jdjcu8"


test



Note the blank line between the headers and the HTML tag.  That innocent
blank line is very, very significant.

It signifies the *END* of the headers and the beginning of the content.

So, here's the deal.  When you print something out, or have an HTML tag, or
have a blank line, PHP has to send that out as part of the Content.  Now, in
order to do that, PHP has to send out your headers first, then the blank
line, then whatever your content is.

If you later try to send out a header, using the http://php.net/header
function, or http://php.net/setcookie or http://php.net/session-start
(sessions use cookies to track users), IT IS TOO LATE.  That boat already
sailed.  Once the headers go out, and the blank line after them, you can't
get more headers to be in front of that blank line that signified the end of
the headers.

> When I put in the remark, the 2nd file, test.php couldn't use
> $GLOBAL["HTTP_REFERER"] because it couldn't find the last file.  I was
> thinking that maybe the HTTP_REFERER couldn't reach the last file because
of
> the way the header work.

What exactly are you trying to do with the referer in the 2nd file?  Print
it?  What?  Why?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER vs. session_whatever() vs. header()

2001-01-24 Thread Scott Fletcher

Hi Everyone!

I did post the note in the past about the problem with HTTP_REFERER
which doesn't work in Netscape 6.0.  It turned out that I was looking at the
wrong thing the whole time.  What I found is that it isn't really Netscape
problem.  It turned out that Netscape 6.0 can't use 2 times at one time,
probably due to the fact that it is slower.

-
What I have in the script are ..

   $salt = strtoupper(md5(uniqid(rand())).md5(uniqid(rand(;
session_id($salt);
session_start();
session_register("user_detail");

//$test = $GLOBALS["HTTP_REFERER"];
//echo $test."";

$ask = "INSERT INTO SESSIONS
VALUES('".$PHPSESSID."','".$user_detail[USER_ID]."',CURRENT
TIMESTAMP,CURRENT TIMESTAMP,'".$REMOTE_ADDR."') ";
$result = odbc_exec($cid,$ask);
header("Location: https://www.test.org/test.php?".SID);
break;

And the 2nd file, test.php, contain the script  ...

$GLOBALS["HTTP_REFERER"];
-

When I just add the code for testing which is followed by remark code
"//" .  Without the remark, the code work but I get the error message
stating 

Warning: Cannot add header information - headers already sent by (output
started at test.php) in test.php on line **

--

When I put in the remark, the 2nd file, test.php couldn't use
$GLOBAL["HTTP_REFERER"] because it couldn't find the last file.  I was
thinking that maybe the HTTP_REFERER couldn't reach the last file because of
the way the header work.

Any solution?  Any idea?

Thanks,
 Scott



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




[PHP] HTTP_REFERER not giving proper results

2001-01-12 Thread Chakravarthy K Sannedhi

PHP gurus,

I am having a page named scene1.php, which got link to
playvoice.php, one drop down list box and a submit
button. I will try to explain what i want from this
page as much clearly as possible with the following
points.
1. Scene1.php appears on the user screen after it gets
redirected from a page named redirect1.php
2. Initially there won't be any submit button and the
page will have only link to playvoice.php and the
dropdown list box.
3. After the user clicks on the 'Play voice file' link
which leads to playvoice.php, he will go to
phpvoice.php which shows just one line like 'Played a
voice file' for about 3 seconds on the user screen and
he will be redirected back to scene1.php
4. Now the latest scene1.php won't have a 'Play voice
file' link but just a text 'Play voice file', dropdown
box and now the submit button appears on the screen.
5. As the user clicks on the submit button, the
opinion will enter into the database and a link 'Go to
the next scenario' appears on his screen, after he
clicks it he will go to redirect2.php.

Now what my problem is the logic which i wrote within
the if statement(code is below) is not working, but
directly the logic within the else statement is
appearing on the user screen(step 4 is coming directly
instead of step 2 coming first), which is preventing
the user from clicking on the link 'Play voice
file'(as there is no link at all, just text). So what
i feel is the $HTTP_REFERER variable is not catching
redirect1.php into it. I want to know where i am going
wrong in using that. 

Thanks a lot to whoever responds
Chakravarthy K Sannedhi



Scenario 1 Best Effort


");
mysql_connect('localhost','user','password') or die
('unable to connect to the database.');
mysql_select_db ('nimitztest') or die ('unable to
select the database.');
if (!$submit || !$error) {
?>
Scenario 1
This scenario includes best effort network, without
any congestion. The queing is set to First In First
Out(FIFO) and there is no reservation made for voice.
Now please click on the link below to play the voice
file and later submit your opinion on the quality of
voice.
 method=post>
http://www.myserver.com/redirect1.php") {
print ('Play voice file');
print ('');
print ('');
print ('(Rate it!)');
print ('1');
print ('2');
print ('3');
print ('4');
print ('5');
print ('');
}
else {
print ('Play voice file');
print ('');
print ('');
print ('(Rate it!)');
print ('1');
print ('2');
print ('3');
print ('4');
print ('5');
print ('');
print ('');
flush();
print ('');
}
}

if ($submit) {
if ($opinion=='rate') {
$error="Please select the rating";
echo $error;
}
else {
$result = mysql_query("select * from testtakerinfo
order by userid desc limit 1");
$myrow = mysql_fetch_array ($result);
$id = $myrow["userid"];
$query = "update testtakerinfo set scene1='$opinion'
where userid=$id";
mysql_query ($query);
echo "Go to next scenario";
}
}
include ('includefile.php');
?>



__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]