NYCPHP Meetup

[nycphp-talk] <a href> vs. <form> request

Jerry Kapron jkapron at NewAgeWeb.com
Wed Apr 16 21:12:15 EDT 2003


Pinyo,

>New guy here.  This may help.  I use this too, so if you can point out any
>weaknesses, please let me know.
>
><?php
>$host = "www.yoururl.com";
>if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
>    # access denied message
>}
>?>
>
>You may have to use the long-hand variable call.  Anyway, it basically say
>that to load this page the request must come from another page on the same
>host.  This way people cannot create form on their site and link to your
>pages, nor can they type in the address directly.

The links would be placed on other websites, but only ones who register, so
I do check the Referer header against a list of authorized URL's.  Even
though the Referer can not be trusted (that's the weakness I'd like to point
out) I'm using it as one layer of security (in addition to other stuff).
However I also need to make sure that the links at those sites are <a href>
links and not HTML forms sending a GET request to my scripts. I usually
would not matter whether it's a link or a form but in this case it does.

Thanks for your help,
Jerry





More information about the talk mailing list