| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181969 is a reply to message #181966] |
Fri, 28 June 2013 18:13   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Twayne wrote:
> On 2013-06-27 6:19 PM, Thomas 'PointedEars' Lahn wrote:
>> Christoph Michael Becker wrote:
>>
>> Also, I would let match RFC 3986, Appendix B, against a URI. What if
>> there
>> is a query part, for example?
>
> I haven't read the RFC yet, only glanced at it, but it looks like the
> kind of thing I can use. Thanks!
> Question: by "query", are you referring to using a database?
> Otherwise I'm not sure what you meant, now what the problem may be.
Thomas is referring to a potential query part of the refer(r)er URI
(casually spoken: everything between ? and #). If a query part is
contained in the refer(r)er URI, the last 13 characters won't be the
expected filename.
>> But I would never check against the HTTP-Referer [sic!] in the first
>> place.
>
> Why is that? If an attempted entry is made from other than the forms
> paths, it'll show up on my own screen quickly. Is it easy to spoof or what?
It is very easy to spoof the refer(r)er header[1]--as any other user
supplied input to a website.
[1] <http://en.wikipedia.org/wiki/Referer_spoofing>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]