What is spy.php? Explore the Evolving Web www.2.0websites.com Paul Yurt, Publisher paul(@)2.0websites.com
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of csnyder Sent: Wednesday, January 31, 2007 6:20 AM To: NYPHP Talk Subject: Re: [nyphp-talk] Safest and best way to get the referer On 1/29/07, Joseph Crawford <[EMAIL PROTECTED]> wrote: > Guys, > > I know that HTTP_REFERER is not always accurate or even set. There > are also ways for people to fake that value. I tend not to rely on > that much however what i need to do is this. > > We have a file called spy.php that will return data to the browser if > the sitekey is found in our database. This data is to be used by > members so they can show statistics on their site. However to be sure > that it was the correct sitekey i was also checking the referer domain > against the domain stored in the database. Is there a better way to > do this? I do not want someone to be able to display the stats for > another site on theirs. > > Is there a way to do this or should i just base it on the sitekey and > if it is valid return the stats for that particular site. The sitekey > is an md5 hash. > It's rare for a browser to send broken referers, but yeah, there's nothing to stop another server from calling spy.php with a spoofed referer and then doing whatever with the result. You might try to notice if the same client IP makes a number of requests using different sitekeys... There probably isn't much you can do that would be worth the time it took to implement. After all, even with perfect security on the script, the numbers are still out there in public, ready to be copy-and-pasted into a spreadsheet every morning. -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
