On Thu, 2004-04-08 at 13:54, Richard Davey wrote:
> Hello Pablo,
> 
> Thursday, April 8, 2004, 6:32:06 PM, you wrote:
> 
> PG> At any rate, if you're relying on HTTP_REFERER to make sure a script is
> PG> being called from a certain location, I don't think it's very reliable.
> 
> PG> Does anyone have any ideas as to a workaround for this?
> 
> There are probably better, but I did come up with something
> specifically for this a while ago:
> 
> Basically all form input went via a redirect script first.
> 
> Form 1 (in the users browser) submits everything to a PHP script that
> does nothing but suck in all of the $_POST values and then itself
> redirects this to the actual PHP processing script it was meant for.
> It redirects using an HTTP header and POSTing all of the form values
> it had received originally. When developing I used the Snoopy class to
> handle this for me.
> 
> It works for 2 reasons (1) you ALWAYS know the IP address of the
> script you are receiving the data from (because it's the same server*)
> and (2) the redirect script can also add an extra POST variable that
> identifies it is from a secure source (perhaps a private key, or md5
> hash or similar). Or it could use your own HTTP headers or User Agent
> for further checks.
> 
> * although it doesn't have to be
> 
> Downsides:
> 
> Your site is effectively processing all form data twice. Depending on
> traffic/size of forms/etc this probably isn't desirable.
> 
> But, it does actually work and AFAIK cannot be easily spoofed.

I don't think this works in general. For instance some ISPs can have the
user's IP change between page requests (incuding redirects). AOL is an
example of such and ISP.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to