[nycphp-talk] Safest and best way to get the referer

P Yurt pyurt at
Wed Jan 31 09:01:45 EST 2007

What is spy.php? 

Explore the Evolving Web  
Paul Yurt, Publisher 


-----Original Message-----
From: talk-bounces at
[mailto:talk-bounces at] On
Behalf Of csnyder
Sent: Wednesday, January 31, 2007 6:20 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Safest and best way to get the referer

On 1/29/07, Joseph Crawford <codebowl at> wrote:
> Guys,
> I know that HTTP_REFERER is not always accurate or even set. 
> are also ways for people to fake that value.  I tend not to
rely on
> that much however what i need to do is this.
> We have a file called spy.php that will return data to the
browser if
> the sitekey is found in our database.  This data is to be used
> members so they can show statistics on their site.  However to
be sure
> that it was the correct sitekey i was also checking the
referer domain
> against the domain stored in the database.  Is there a better
way to
> do this?  I do not want someone to be able to display the
stats for
> another site on theirs.
> Is there a way to do this or should i just base it on the
sitekey and
> if it is valid return the stats for that particular site.  The
> is an md5 hash.

It's rare for a browser to send broken referers, but yeah,
nothing to stop another server from calling spy.php with a
referer and then doing whatever with the result. You might try
notice if the same client IP makes a number of requests using
different sitekeys...

There probably isn't much you can do that would be worth the
time it
took to implement. After all, even with perfect security on the
script, the numbers are still out there in public, ready to be
copy-and-pasted into a spreadsheet every morning.

Chris Snyder
New York PHP Community Talk Mailing List

NYPHPCon 2006 Presentations Online

Show Your Participation in New York PHP

More information about the talk mailing list