[nycphp-talk] <a href> vs. <form> request

Hans Zaunere zaunere at
Thu Apr 17 12:21:55 EDT 2003

--- Jerry Kapron <jkapron at> wrote:
> Pinyo,
> >New guy here.  This may help.  I use this too, so if you can point out any
> >weaknesses, please let me know.
> >
> ><?php
> >$host = "";
> >if (!isset($HTTP_REFERRER) || ($HTTP_HOST != $host)) {
> >    # access denied message
> >}
> >?>
> >
> >You may have to use the long-hand variable call.  Anyway, it basically say
> >that to load this page the request must come from another page on the same
> >host.  This way people cannot create form on their site and link to your
> >pages, nor can they type in the address directly.
> The links would be placed on other websites, but only ones who register, so
> I do check the Referer header against a list of authorized URL's.  Even
> though the Referer can not be trusted (that's the weakness I'd like to
> point
> out) I'm using it as one layer of security (in addition to other stuff).
> However I also need to make sure that the links at those sites are <a href>
> links and not HTML forms sending a GET request to my scripts.

It is not possible, in an absolute sense.  Regardless of what HTTP, client
side, javascript or PHP tricks you can think of, it's forgable.  How can a
web server know I'm connecting via telnet, let alone cURL, or anything else? 
You'll need to establish a baseline security measure (read: what's good
enough) and then make an implementation.  

I'm just jumping in on this thread, so forgive me if this was covered, but
you may be able to do a callback method.  You'd could connect back to the
requester, asking for the referring page.  Could this be forged?  Sure, but
it may offer some level obscurity, in addition to SSL options (since it's
harder to forge SSL, nix cURL).

Good luck,


More information about the talk mailing list