Daniel Convissor wrote:
You misunderstand what http referer does. In addition, be careful of
what some other folks have posted in this thread, they're
misunderstanding your situation, so may confuse you further.
Here are several key points:
* it is set by the browser
* it gets sent in the HTTP headers when requesting a page
* it indicates the URI a hyperlink was found on
Daniel's #1 is an important point and one reason why I avoid relying on
HTTP_REFERER at almost all costs. Because the browser sends this it
means it can be spoofed. Worst case, it's like allowing a potentially
tainted global variable into your application unless you're very careful
about vetting it.
In my pre-PHP days, in fact my very early web days circa 1995, my web
server got hacked because of a cleverly configured, spoofed HTTP_REFERER
I was using to regulate access to a vintage motorcycle image archive and
provide a back link. I learned a lotta security lessons from that
episode, including not to trust ANYTHING the browser hands me.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
