[nycphp-talk] <a href> vs. <form> request

Bhulipongsanon, Pinyo Pinyo.Bhulipongsanon at
Thu Apr 17 11:18:16 EDT 2003

Hi Chris,

Thanks.  How would you tighten it up?


-----Original Message-----
From: Chris Shiflett [mailto:shiflett at]
Sent: Thursday, April 17, 2003 10:50 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] <a href> vs. <form> request

--- Pinyo Bhulipongsanon <pinyo at> wrote:
> New guy here.  This may help.  I use this too, so if you can point out any
> weaknesses, please let me know.
> <?php
> $host = "";
> if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
>     # access denied message
> }
> ?>

Since you asked... :-)

There are many ways to defeat this, and here is an example. Assume your
script is named foo.php and outputs "access granted" immediately after your
conditional statement:

[chris at alpha]~> telnet 80
Connected to (
Escape character is '^]'.
GET /foo.php HTTP/1.1

HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 14:46:11 GMT
Server: Apache
Content-Type: text/html
Content-length: 14

access granted

Connection closed by foreign host.
[chris at alpha]~>

Basically, those variables that start with HTTP are just the headers sent by
the client, so if you trust those for any sort of security, it's like a
asking the students to grade their own papers. It will work fine on honest
people, but those aren't the ones to be concerned with.

Hope that helps.


--- Unsubscribe at ---

More information about the talk mailing list