| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181976 is a reply to message #181975] |
Fri, 28 June 2013 20:07   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/28/2013 4:03 PM, Twayne wrote:
> On 2013-06-28 3:26 PM, Jerry Stuckle wrote:
>> On 6/28/2013 2:07 PM, Twayne wrote:
>>> On 2013-06-27 5:52 PM, Jerry Stuckle wrote:
>>>> On 6/27/2013 5:23 PM, Twayne wrote:
>>>> > I have what's probably a simple and very basic question.
>>>> >
>>>> > My goal is to see where a visitor sending a form-email with mail() on
>>>> > win 7 and XAMPP - PHP 5.3.5, came from. e.g. did he come here from the
>>>> > right page or just barge into this page as his landing page?
>>>> > My php.ini seems to be OK and I've not changed any other config
>>>> > files. All other "If's" work OK and I'm now baffled.
>>>
>>> ...
>>>
>>>>
>
> ...
>
>>>
>>
>> It is supplied by the user, and like anything user-supplied, can easily
>> be spoofed. And some people don't even send it (I've heard Norton has
>> an option to strip it, but haven't confirmed that fact).
>
> No, it is NOT supplied by the user in this case. It is supplied by the
> server of my website, and the only information I'm interested in is
> whether the visitor came from the proper page on my website; nothing
> else shall pass. You've said nothing to change my mind, but thanks anyway.
Check again. HTTP_REFERER is supplied by the CLIENT. The server has no
idea where the page was called from.
>>
>> Just because it exists and is correct on your system does NOT mean it
>> exists or is correct when coming from other systems!
>
> I have zero interest in "other systems", as I described previously.
>
You should. It's your clients who are using those other systems!
> On my server, not my "system". It's entirely server-side operations.
> Others are reporting my scheme as a "good one" when considering
> everything the forest contains; possibly even more than really needed.
>>
>> The bottom line is - it is user-supplied data, and you should NEVER
>> trust user-supplied data.
>
> like I said, it's not user-supplied.
>
Try again. The server has no idea what page the client was on when he
clicked on a link (or whatever).
> The user knows nothing about it without some pretty clever attention to
> the problem and hacking the server I use (NOT mine-standard, reputable
> servers).
>
The client knows EVERYTHING about it. It supplies the value.
> Thanks for the response, even if it was rather lacking in any detail
> that I found useful.
>
> Twayne`
>
>>
>
Then I would suggest you get some more education. Try running the HTTP
Headers extension under Firefox - you will find the value being sent by
the browser.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]