According to the spec:
    The address of the page (if any) which referred the browser to the 
current page. This is set by the user's browser; not all browsers will set 

So if it is set by the user's browser, it can be changed, or shut off. 
I believe there are programs out there that block that env var so people do 
not leave tracks within a site as well. Look at for such programs.

Typically, if a user went through 5 pages to sign up and is on the sixth 
page, I wouldn't worry about someone forging that too much.  I'd be more 
worried about referrer not being set and then not allowing them to signup 
because of that.  You can always set a variable like $PAGENUM in your code on 
the second last page and session register it, then check for it on the last 
page.  If it exists, do your thing and destroy the session.  If it does not 
exist, you can take the desired action.  Combine this with the HTTP_REFERER 
and I would think you should be fairly safe....but remember, the HTTP_REFERER 
could be empty, whereas the session var should be trusted as it is coming 
from your own site.  

On Friday 17 August 2001 09:34 am, you wrote:
> Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can
> the $HTTP_REFERER be forged and thus gaining unauthorized access to the
> forms?

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to