[nycphp-talk] user input (was Re: FILE() )

csnyder chsnyder at
Wed Oct 25 15:01:29 EDT 2006

On 10/25/06, Marc Antony Vose <suzerain at> wrote:
> Hey Chris:
> Just wondering about this...what kind of filter would you recommend
> passing over the HTTP_REFERER in order to verify it's (reasonably)
> kosher?
> Cheers,
> Marc

At minimum you'd want to make sure the referrer starts with "http://"
or "https://", which will cut off local filesystem access. Include
ftp:// if you need to, but who passes ftp urls in the referrer?

If your server can potentially access other systems inside a firewall,
it would be a darn good idea to write some sort of host-based
blacklist, with localhost included. Being comprehensive could be
difficult, maybe just better to disallow LAN access to any server that
runs this kind of code.

Of course, if the value is output into markup, you want to convert it
using htmlentities().

Anyone think of anything else?

Chris Snyder

More information about the talk mailing list