> Is it possible for a hacker to make an identical $HTT_REFERER
> in the header? I have no idea how $HTTP_REFERER is made, is it made
> from the http client and put in the http header?

Thats exactly how its done. The user agent (browser) takes the URL it was
on when a link was clicked / form submitted etc and places that into a
HTTP header which is sent back to the server. This information can be very
easily faked and is widely implemented into spam / attack bots.
> If I can't trust $HTTP_REFERER, how can I deny malicious attack like
> that?

The best way is authentication. I dont know what the load on your server
is generating, but Im pretty sure there will be an alternative way of
doing it.
eg: on request do the load-based method and dump the details into a
temporary table with a timestamp of the last time it was updated. If you
get the same request within x minutes (or hours / days) then serve up the
generated information from the table.
This would mean that your db no longer gets hammered if malitious users
were to launch 5000 requests at it in the space of 10 mins, it would just 
do the big DB operation the once.

Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to