Register Globals on

Sign In/My Account | View Cart

Article:		Ten Security Checks for PHP, Part 1
Subject:		Register Globals on
Date:		2007-03-01 11:52:54
From:		andrwe
Response to: Register Globals on
My method for securing where POST data comes from is thus: $referer = $_SERVER['HTTP_REFERER']; if ($referer != "http://www.domain.com/form.html") { echo "nice try!"; } else { process_form(); } Any downside to that (other than having to change the URL upon upload)?

Full Threads

Oldest First

Showing messages 1 through 2 of 2.

Register Globals on
2008-07-01 11:13:49 davidrrm [View]

That's certainly not a certain test though. I could create a program to do the post and it would set HTTP_REFERER to what you are looking for.

Register Globals on
2007-03-01 14:10:51 Clancy Malcolm | [View]

The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

Clancy

Privacy Policy >
View Sample Newsletter >

View All RSS Feeds >

800-889-8969 or 707-827-7019
Monday-Friday 7:30am-5pm PT
©2011, O'Reilly Media, Inc.
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.