Re: WC:>: CGI environment variables and forms

[Brent Eades]

On 14 Sep 98, Bruce Young wrote:

> I would like to make sure that it is only called from that computer (A).
> The environment variables give me the users IP address (no use) and I 
can
> get the referer URL. The Referer URL is probably what I want to check
> against. Is this correct? Fool proof?? Any other ideas?

Hiya Bruce, long time no chat :)

Anyway... here's how Matt Wright handles this is in a couple 
of his generic scripts.  It shows which variables I use to 
ensure that only scripts located on my server can be executed:


# Define Variables  

# @referers allows forms to be located only on servers which are defined   
# in this field.  

@referers = ('storm.ca', 'www.almonte.com');

[snip]

sub check_url {

        # Localize the check_referer flag which determines if user is valid.     
    
    local($check_referer) = 0;


    if ($ENV{'HTTP_REFERER'}) {
        foreach $referer (@referers) {
            if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
                $check_referer = 1;
                last;
            }
        }
    }
    else {
        $check_referer = 1;
    }

    # If the HTTP_REFERER was invalid, send back an error.

    if ($check_referer != 1) { &error('bad_referer') }
}

[snip]

sub error { 
    # Localize variables and assign subroutine input.       
    local($error,@error_fields) = @_;
    local($host,$missing_field,$missing_field_list);

    if ($error eq 'bad_referer') {
        if ($ENV{'HTTP_REFERER'} =~ m|^https?://([\w\.]+)|i) {
            $host = $1;
            print <<"(END ERROR HTML)";

[snip -- the rest is the routine for printing an error message 
if someone improperly tries to access the script]

Hope this helps.



-----------
Brent Eades, Almonte, Ontario
   E-mail: [EMAIL PROTECTED]
           [EMAIL PROTECTED]
   Town of Almonte site: http://www.almonte.com/
   Business site: http://www.federalweb.com

____________________________________________________________________
--------------------------------------------------------------------
 Join The Web Consultants Association :  Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------