Re: [PHP] Re: strpos error (I'm missing something obvious)

2007-10-02 Thread Andrew Ballard 
I'd suggest the following *slight* enhancement to make sure that the
HTTP_REFERER actually *begins* with the site name, not simply contains
it.

// prevents visits from pages like
http://badsite.com/form.htm?http://www.wnc.edu
if (strpos($referer, $site) === 0)
{
echo 'yes';
}

(or, if you like the preg solution)
if (preg_match(%^$site%, $referer))
{
//
}

However, I'd argue that the effectiveness of checking the referrer
itself could be considered negligible, and hardly foolproof. The
header is easily spoofed in scripts, and may not even be sent at all
by legitimate clients because of various browser and/or personal
firewall options.

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: strpos error (I'm missing something obvious)

2007-10-02 Thread Kevin Murphy 
Thanks for the info. I've modified the script to reflect that. I  
actually ended up reversing it, and so I used !== 0 which should work  
just the same.


All this is a minor portion of a much larger security scheme for an  
intranet site (which is protected by an LDAP server), where I am just  
trying to keep images outside the web directory, and want to prevent  
people from linking directly to an image... the only way an image  
displays is if they view the page, and not link directly to the  
image. Not foolproof, I know, but I'm not dealing with the general  
population here, just internal employees some of whom are more  
computer savvy than others.


Thanks all for your help. It seems to be working now.

--
Kevin Murphy
Webmaster: Information and Marketing Services
Western Nevada College
www.wnc.edu
775-445-3326

P.S. Please note that my e-mail and website address have changed from  
wncc.edu to wnc.edu.



On Oct 2, 2007, at 8:32 AM, Andrew Ballard wrote:


I'd suggest the following *slight* enhancement to make sure that the
HTTP_REFERER actually *begins* with the site name, not simply contains
it.

// prevents visits from pages like
http://badsite.com/form.htm?http://www.wnc.edu
if (strpos($referer, $site) === 0)
{
echo 'yes';
}

(or, if you like the preg solution)
if (preg_match(%^$site%, $referer))
{
//
}

However, I'd argue that the effectiveness of checking the referrer
itself could be considered negligible, and hardly foolproof. The
header is easily spoofed in scripts, and may not even be sent at all
by legitimate clients because of various browser and/or personal
firewall options.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: strpos error (I'm missing something obvious)

2007-10-02 Thread Al 

I didn't mean that the function was foolproof, only the match function itself.

However, your suggestion to add the line start is simple and effective.

Andrew Ballard wrote:

I'd suggest the following *slight* enhancement to make sure that the
HTTP_REFERER actually *begins* with the site name, not simply contains
it.

// prevents visits from pages like
http://badsite.com/form.htm?http://www.wnc.edu
if (strpos($referer, $site) === 0)
{
echo 'yes';
}

(or, if you like the preg solution)
if (preg_match(%^$site%, $referer))
{
//
}

However, I'd argue that the effectiveness of checking the referrer
itself could be considered negligible, and hardly foolproof. The
header is easily spoofed in scripts, and may not even be sent at all
by legitimate clients because of various browser and/or personal
firewall options.

Andrew


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: strpos error (I'm missing something obvious)

2007-10-02 Thread Andrew Ballard 
On 10/2/07, Al [EMAIL PROTECTED] wrote:
 I didn't mean that the function was foolproof, only the match function itself.

Understood. :-)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: strpos

2001-11-16 Thread jtjohnston 

Andrew Kirilenko wrote:

 Oops. Forgot about 0 return ;(

Which means ???
They both work for me, yeah? No?

This tells me that the user made a boo boo:

 if((strpos($yourimage, \.jpg) !== false) || (strpos($yourimage, \.jpeg)
!== false))

So what does this do?

if((!strpos($yourimage, .jpg)) || (!strpos($yourimage, .jpeg)))


J


  -Original Message-
  From: Martin Thoma [mailto:[EMAIL PROTECTED]]
  Sent: Friday, November 16, 2001 9:42 AM
  To: [EMAIL PROTECTED]
  Subject: Re: [PHP] Re: strpos
 
 
   if (!strpos(...))
   will be better...
 
  Why?
 
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  To contact the list administrators, e-mail: [EMAIL PROTECTED]
 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Re: strpos

2001-11-15 Thread Andrew Kirilenko 

Hello!

if (!strpos(...))
will be better...

Best regards,
Andrew Kirilenko.

 -Original Message-
 From: Martin Thoma [mailto:[EMAIL PROTECTED]]
 Sent: Friday, November 16, 2001 9:28 AM
 To: [EMAIL PROTECTED]
 Subject: [PHP] Re: strpos
 
 
 strpos return false if the search fails. You have therefore to test for:
 
 if (strpos(...,...) === false)
 
 or
 
 if (strpos(...,...) !== false)
 
 Martin
 
 
 Jtjohnston wrote:
 
  I suppose I'm doing this right? I want to know if the user entered
  \.jpeg or \.jpg. If he didn't, it should error.
 
  It errors anyways? What do I have to do add slashes in my input???
  :o)
 
  // if((!strpos($yourimage, \.jpg)) || (!strpos($yourimage,
  \.jpeg)))  \\ --- tried both!
   if((!strpos($yourimage, .jpg)) || (!strpos($yourimage, .jpeg)))
  {
error_found(error found);
$errorfound++;
   }
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: strpos

2001-11-15 Thread Martin Thoma 

 if (!strpos(...))
 will be better...

Why?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Re: strpos

2001-11-15 Thread Andrew Kirilenko 

Oops. Forgot about 0 return ;(

 -Original Message-
 From: Martin Thoma [mailto:[EMAIL PROTECTED]]
 Sent: Friday, November 16, 2001 9:42 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [PHP] Re: strpos
 
 
  if (!strpos(...))
  will be better...
 
 Why?
 
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]