| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181958 is a reply to message #181956] |
Fri, 28 June 2013 08:56   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Christoph Michael Becker wrote:
> Thomas 'PointedEars' Lahn wrote:
>> Also, I would let match RFC 3986, Appendix B, against a URI. What if
>> there is a query part, for example?
>
> Good point! However, only recently there was a bug report regarding
> PHP's filter_var($var, FILTER_VALIDATE_URL)[1].
I have not suggested using filter_var().
> This is meant to be implemented according to RFC 2396; obviously RFC 2396
> is obsoleted by RFC 3986
Since 8 years now.
> (I was not aware of that until now--thank you).
You're welcome.
> Anyway, it seems the regular expression given in Appendix B of RFC 2396
> *seems* to be more permissive than the actual syntax given in Appendix A.
Appendixes are not normative. Assuming relevance, in which way does it seem
more permissive?
> I have not checked RFC 3986 regarding this issue yet.
>
>> But I would never check against the HTTP-Referer [sic!] in the first
>> place. There are much more reliable solutions, like session variables.
>> See also <https://owasp.org/>.
>
> ACK. OTOH I have some concerns regarding cookies (I do not "like" to
> propagate session IDs as a GET parameter) due to the European cookie
> law(s).
Directive 95/46/EC does not apply here.
> [1] <https://bugs.php.net/bug.php?id=65141>
PointedEars, IANAL
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7(at)news(dot)demon(dot)co(dot)uk>
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]