#31459 [Bgs]: getenv('HTTP_REFERER') failure

Sun, 09 Jan 2005 14:58:09 -0800 

 ID:               31459
 User updated by:  motion_4u at hotmail dot com
 Reported By:      motion_4u at hotmail dot com
 Status:           Bogus
 Bug Type:         URL related
 Operating System: all
 PHP Version:      4.3.10
 New Comment:

After reading some comments regarding the HTTP_REFERER I have found
this very important to add  :
The "include" function is a server side action and has nothing to do
with what kind of browser you call the page with.
It starts on the server and ends there too, returning  only the result
to the browser!
In fact, Javascript has a very good success compairing to PHP when it
comes to detecting the referer. The only problem is that the referer
URL must be resubmitted to bring it to the server side.


Previous Comments:
------------------------------------------------------------------------

[2005-01-09 22:50:38] [EMAIL PROTECTED]

Variable HTTP_REFERER is populated by browser and if
getenv('HTTP_REFERER') returns false, then the browser didn't send it
to the server. 
Make sure your browser sends it, until then it's not PHP bug.

------------------------------------------------------------------------

[2005-01-09 22:24:20] motion_4u at hotmail dot com

Description:
------------
This page includes an included file called "refer.php" containing 2
lines as followed:

<? $refer=getenv('HTTP_REFERER');
return $refer; ?> 

If the function "getenv('HTTP_REFERER')" works correctly, you should
see the URL of this subdirectory + "refer.php" below 

REFERER: <-- You see nothing! 

the code for this file is as followed: 

<?
$ref=include "refer.php";
echo $ref;
?> 

The basic purpose of "getenv('HTTP_REFERER')" function is very simple!
It has to return the URL of the caller.
At the first glance it seems as something not important at all but
actually it is a major
security problem for those who rely on the "getenv('HTTP_REFERER')"
function to
identify the caller page to return a hidden value using the "include"
function back
only to a predefined URL. 

Reproduce code:
---------------
You can access the URL to test it right here:
http://motion4u.sytes.net/phpreferertest/index.php

Expected result:
----------------
Must return an URL and not nothing! 
You get even no NULL!

Actual result:
--------------
OK, I keep it as short as possible! only one word :

Zilch


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=31459&edit=1

Reply via email to