On 10/25/06, Marc Antony Vose <[EMAIL PROTECTED]> wrote: > Hey Chris: > > Just wondering about this...what kind of filter would you recommend > passing over the HTTP_REFERER in order to verify it's (reasonably) > kosher? > > Cheers, > > Marc > http://www.suzerain.com >
At minimum you'd want to make sure the referrer starts with "http://" or "https://", which will cut off local filesystem access. Include ftp:// if you need to, but who passes ftp urls in the referrer? If your server can potentially access other systems inside a firewall, it would be a darn good idea to write some sort of host-based blacklist, with localhost included. Being comprehensive could be difficult, maybe just better to disallow LAN access to any server that runs this kind of code. Of course, if the value is output into markup, you want to convert it using htmlentities(). Anyone think of anything else? -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
