> Is it possible for a hacker to make an identical $HTT_REFERER > in the header? I have no idea how $HTTP_REFERER is made, is it made > from the http client and put in the http header?
Thats exactly how its done. The user agent (browser) takes the URL it was on when a link was clicked / form submitted etc and places that into a HTTP header which is sent back to the server. This information can be very easily faked and is widely implemented into spam / attack bots. > If I can't trust $HTTP_REFERER, how can I deny malicious attack like > that? The best way is authentication. I dont know what the load on your server is generating, but Im pretty sure there will be an alternative way of doing it. eg: on request do the load-based method and dump the details into a temporary table with a timestamp of the last time it was updated. If you get the same request within x minutes (or hours / days) then serve up the generated information from the table. This would mean that your db no longer gets hammered if malitious users were to launch 5000 requests at it in the space of 10 mins, it would just do the big DB operation the once. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php