Could ya'll repost any responses to this. Apparently, my new email address wasn't subscribed to the mailing list.
_____ From: Michele Waldman [mailto:[EMAIL PROTECTED] Sent: Friday, November 28, 2008 2:19 PM To: 'NYPHP Talk' Subject: HTTP_REFERER I once had a problem with my server executing php and the code was dumped out to the screen. So, php isn't that terribly secure if your server has a glitch. So many folks put their passwords right there in a file that can be dumped to the screen. In my current case I am using ajax because xmlhttp doesn't cross domains, I didn't have a real security risk I believe from users call the php file directly with data. There would have to be a function call to execute the php. Without someone calling a function, nothing would happen. If someone remotely embedded my php file remotely in their app, they could have made a function call if they knew the name? What does anyone know about linking a php file from another server? I haven't really tried it. I don't think. That would be my real concern. The php.org docs say the http_referer can not be trusted. Plus, I didn't even see it defined in my phpinfo. I don't know if it's only defined if there is an explicit statement to do so. Do you know another way of requiring that some php files are only called by an app in the same domain? I'd like to either prevent a remote call to my php file in htaccess. I was thinking something like: RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(.+\.)?wantedgaming\.com/ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule .myfile\.php$ stub.php [L] RewriteRule .myfile2\.php$ stub.php [L] RewriteRule .myfile3\.php$ stub.php [L] I was thinking I wanted to reinforce this inside the php file, but if htaccess has it covered, it's probably a non-issue. Does this look right? Michele
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
