| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181971 is a reply to message #181968] |
Fri, 28 June 2013 19:26   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/28/2013 2:07 PM, Twayne wrote:
> On 2013-06-27 5:52 PM, Jerry Stuckle wrote:
>> On 6/27/2013 5:23 PM, Twayne wrote:
>>> I have what's probably a simple and very basic question.
>>>
>>> My goal is to see where a visitor sending a form-email with mail() on
>>> win 7 and XAMPP - PHP 5.3.5, came from. e.g. did he come here from the
>>> right page or just barge into this page as his landing page?
>>> My php.ini seems to be OK and I've not changed any other config
>>> files. All other "If's" work OK and I'm now baffled.
>
> ...
>
>>
>> Like anything else sent by the client, you can't trust
>> $_SERVER['HTTP_REFERER']. It may or may not exist, and if it does, it
>> may or may not contain the actual referrer page.
>
> Perhaps you can expand on that? Referrer does exist, and it's sent to me
> by my server. If it doesn't indicate MY previous form page, then I know
> the visito and it reflects ONLY my own files to be accepted, or hasn't
> used the website link to access that particular page, or has tried some
> sort of direct access, Back Button, etc.; and I destroy the session and
> stop the script.
>
> TIA for enlightening me.
>
> Twayne`
>
>
>
>
It is supplied by the user, and like anything user-supplied, can easily
be spoofed. And some people don't even send it (I've heard Norton has
an option to strip it, but haven't confirmed that fact).
Just because it exists and is correct on your system does NOT mean it
exists or is correct when coming from other systems!
The bottom line is - it is user-supplied data, and you should NEVER
trust user-supplied data.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]