| Re: Validate Radio Buttons? [message #182402 is a reply to message #182400] |
Sat, 03 August 2013 00:20   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/2/2013 8:06 PM, Twayne wrote:
> On 2013-08-01 10:10 PM, Jerry Stuckle wrote:
>> On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
>>> Jerry Stuckle wrote:
> ...
>>
>> Yes, it is quite simple to check the referrer. However, that's a poor
>> thing to check, because it isn't a required field and may not be set.
>> Additionally, some firewalls/security products will strip the
>> HTTP_REFERER before sending the data (Norton has been famous for this in
>> the past - I don't know if they still do it).
>
> Yup! No Referrer, no access! Wrong referrer, still no access. Spoof it
> properly or forget it. Along with other checks &k balances along the way
> of course.
>
Then you will lock out a number of valid users. HTTP_REFERER is not a
required field, and some firewalls will strip it from the header (Norton
used to do this).
Plus it is so easy to spoof it isn't even funny. I don't even need to
use cURL to do it - I can do it with simple HTML.
>>
>> The result is checking HTTP_REFERER will keep out more valid users than
>> it will block hackers.
>
> That sounds like a bunch of bologna unless you can cite something
> verifiable to support it.
Please see above.
> I have never, in over a decade, seen Referrer ever block anyone and
> I receive host reports of every single contact attempt on my site,
> successful or not. Daily.
Not that you know of, anyway. But how do you know it was never blocked?
I've had some sites where the customer wants the referrer tracked. We
do, sand sometimes it comes up empty (even on a POST operation).
> The only reason I don't have anything more cohesive to support my
> claim is that I lost a lot of memory due to a serious brain concussion a
> few years back, necessitating re-learing a LOT of things, but I still
> have all my records in archive.
Which does not mean it does not occur.
> Every contact is and was evaluated to see if I care why a contact
> attempt failed. Being so near a college town, there are a lot of
> abandoned and unsuccessful access attempts. So far none have succeeded
> although it's been a long trip getting my knowledge back!
>
And you don't know how many spoofed entries there are, either.
> So if you can, please cite something to support your claim that it keeps
> out more valid users than bots & hackers & crackers.
>
>
See above. HTTP_REFERER is NOT to be trusted.
Or google for it and see what else you find.
However, this is also off-topic in a PHP newsgroup.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]