On Fri, Jul 11, 2008 at 11:03 AM, Steve Manes <[EMAIL PROTECTED]> wrote:
> Daniel's #1 is an important point and one reason why I avoid relying on > HTTP_REFERER at almost all costs. Because the browser sends this it means > it can be spoofed. Worst case, it's like allowing a potentially tainted > global variable into your application unless you're very careful about > vetting it. In the case that Paul is describing it's okay to trust it _as much as you would trust any other user-submitted value_. You should always html_entities encode a referer when displaying it on a page, just like any other value in $_SERVER, $_GET, $_POST, or $_COOKIE. Granted, there are all kinds of reasons not to provide back links. Users aren't really expecting them, the referer is not always going to be there, and it potentially leaves your site open to Google abuse, because suddenly your site has links back to anybody else's website. But at the end of the day if you want to redirect people back to where they came from (like Paypal does, for instance, after you make a payment), you have no choice but to rely on the referer. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
