| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181966 is a reply to message #181955] |
Fri, 28 June 2013 17:49   |
bill
Messages: 310
Registered: October 2010
Karma:
|
Senior Member |
|
|
On 2013-06-27 6:19 PM, Thomas 'PointedEars' Lahn wrote:
> Christoph Michael Becker wrote:
>
....
> for even greater clarity.
>
> Also, I would let match RFC 3986, Appendix B, against a URI. What if there
> is a query part, for example?
I haven't read the RFC yet, only glanced at it, but it looks like the
kind of thing I can use. Thanks!
Question: by "query", are you referring to using a database?
Otherwise I'm not sure what you meant, now what the problem may be.
>
> But I would never check against the HTTP-Referer [sic!] in the first place.
Why is that? If an attempted entry is made from other than the forms
paths, it'll show up on my own screen quickly. Is it easy to spoof or what?
> There are much more reliable solutions, like session variables. See also
> <https://owasp.org/>.
I am also using Session variables and unsetting them as soon as I'm done
with them and destroying the session at first opportunity after it's no
longer needed. But I'm not sure I see why that's better than checking
the referrer?
owasp.org btw looks like a keeper! I've bookmarked it and intend to
spend some time there. THANKS AGAIN!
Regards,
Twayne`
>
>
> PointedEars
>
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]