On Tue, Sep 24, 2002 at 03:49:40PM +0200, Günter Knauf wrote: > Hi Thomas, > >> are the server-side vars generated by the server or only echoed vars > >> which where provided by the browser?? > >> specially REQUEST_URI is of interest for me for security purposes in > >> scripts, so is it generated from Apache self or can it be faked by the > >> client? > > > In 1.3 it looks like it's set from the original request, but to be able > > to fake it they can't call your script (right?) > f.e. I have a perl mailscript which should only accept formdata from a form which >was served by my host, so I want to check in the script if REQUEST_URI is from my own >host or probably comes from a locally stored and modified form... > so any other ideas what I can check to be 100% sure that the form was served by my >server?
Probably not the right list for this, but you can't really be 100% sure that the form is being submitted from your server. But what you are looking for is really the referer. (still not 100% sure though) -- Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/> mod_pointer <http://stderr.net/mod_pointer> <http://photos.eibner.dk/> !(C)<http://copywrong.dk/> <http://apachegallery.dk/> Putting the HEST in .COM <http://www.hestdesign.com/>
