NYCPHP Meetup

[nycphp-talk] Safest and best way to get the referer

P Yurt pyurt at yahoo.com
Wed Jan 31 09:01:45 EST 2007


What is spy.php? 

Explore the Evolving Web 
www.2.0websites.com  
Paul Yurt, Publisher 
paul(@)2.0websites.com 

 


-----Original Message-----
From: talk-bounces at lists.nyphp.org
[mailto:talk-bounces at lists.nyphp.org] On
Behalf Of csnyder
Sent: Wednesday, January 31, 2007 6:20 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Safest and best way to get the referer

On 1/29/07, Joseph Crawford <codebowl at gmail.com> wrote:
> Guys,
>
> I know that HTTP_REFERER is not always accurate or even set. 
There
> are also ways for people to fake that value.  I tend not to
rely on
> that much however what i need to do is this.
>
> We have a file called spy.php that will return data to the
browser if
> the sitekey is found in our database.  This data is to be used
by
> members so they can show statistics on their site.  However to
be sure
> that it was the correct sitekey i was also checking the
referer domain
> against the domain stored in the database.  Is there a better
way to
> do this?  I do not want someone to be able to display the
stats for
> another site on theirs.
>
> Is there a way to do this or should i just base it on the
sitekey and
> if it is valid return the stats for that particular site.  The
sitekey
> is an md5 hash.
>

It's rare for a browser to send broken referers, but yeah,
there's
nothing to stop another server from calling spy.php with a
spoofed
referer and then doing whatever with the result. You might try
to
notice if the same client IP makes a number of requests using
different sitekeys...

There probably isn't much you can do that would be worth the
time it
took to implement. After all, even with perfect security on the
script, the numbers are still out there in public, ready to be
copy-and-pasted into a spreadsheet every morning.

-- 
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




More information about the talk mailing list