Boget, Chris wrote:
> > > Also, you can check the value of $HTTP_REFERER for the ip of
> > the trusted host, to further eliminate the potential.
>
> How do you get the IP out of $HTTP_REFERER? As far as I know,
> that only tells you the referring url, not the ip address.
This is correct. But you could extract the hostname and do a dns-lookup, if
you wish. But the hostname should suffice, shouldn't it?
> And couldn't
> that value be messed with?
Sure it can. It is sended by the browser, so the client (or proxy-servers)
can maniulate or delete it. Anyway, it's from the wrong side of the trust
boundary.
Wagner
--
One maniac alone can do what 20 together cannot
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
