advertisement

Article:
  Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2007-03-01 11:52:54
From:   andrwe
Response to: Register Globals on

My method for securing where POST data comes from is thus:


$referer = $_SERVER['HTTP_REFERER'];
if ($referer != "http://www.domain.com/form.html") {
echo "nice try!";
} else {
process_form();
}


Any downside to that (other than having to change the URL upon upload)?

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • Register Globals on
    2007-03-01 14:10:51  ClancyMalcolm [Reply | View]

    The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

    Clancy