| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181956 is a reply to message #181955] |
Fri, 28 June 2013 00:16   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Thomas 'PointedEars' Lahn wrote:
> Christoph Michael Becker wrote:
>
>> […] You may consider to use only simple expressions for an if expression,
>> e.g.:
>>
>> $cameFromExpectedPage = substr($referrer, -13) === 'formcheck.php';
>> if ($cameFromExpectedPage) {
>> echo 'Something showed up';
>> }
>
> Good idea, but I would write
>
> $cameFromExpectedPage = (substr($referrer, -13) === 'formcheck.php');
>
> for even greater clarity.
ACK.
> Also, I would let match RFC 3986, Appendix B, against a URI. What if there
> is a query part, for example?
Good point! However, only recently there was a bug report regarding
PHP's filter_var($var, FILTER_VALIDATE_URL)[1]. This is meant to be
implemented according to RFC 2396; obviously RFC 2396 is obsoleted by
RFC 3986 (I was not aware of that until now--thank you). Anyway, it
seems the regular expression given in Appendix B of RFC 2396 *seems* to
be more permissive than the actual syntax given in Appendix A. I have
not checked RFC 3986 regarding this issue yet.
> But I would never check against the HTTP-Referer [sic!] in the first place.
> There are much more reliable solutions, like session variables. See also
> <https://owasp.org/>.
ACK. OTOH I have some concerns regarding cookies (I do not "like" to
propagate session IDs as a GET parameter) due to the European cookie law(s).
[1] <https://bugs.php.net/bug.php?id=65141>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]