[nycphp-talk] <a href> vs. <form> request

Chris Shiflett shiflett at
Thu Apr 17 10:50:18 EDT 2003

--- Pinyo Bhulipongsanon <pinyo at> wrote:
> New guy here.  This may help.  I use this too, so if you can point out any
> weaknesses, please let me know.
> <?php
> $host = "";
> if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
>     # access denied message
> }
> ?>

Since you asked... :-)

There are many ways to defeat this, and here is an example. Assume your above
script is named foo.php and outputs "access granted" immediately after your
conditional statement:

[chris at alpha]~> telnet 80
Connected to (
Escape character is '^]'.
GET /foo.php HTTP/1.1

HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 14:46:11 GMT
Server: Apache
Content-Type: text/html
Content-length: 14

access granted

Connection closed by foreign host.
[chris at alpha]~>

Basically, those variables that start with HTTP are just the headers sent by
the client, so if you trust those for any sort of security, it's like a teacher
asking the students to grade their own papers. It will work fine on honest
people, but those aren't the ones to be concerned with.

Hope that helps.


More information about the talk mailing list