[nycphp-talk] HTTP_REFERER

Michele Waldman mmwaldman at
Fri Nov 28 15:04:08 EST 2008

Could ya'll repost any responses to this.  Apparently, my new email address
wasn't subscribed to the mailing list.



From: Michele Waldman [mailto:mmwaldman at] 
Sent: Friday, November 28, 2008 2:19 PM
To: 'NYPHP Talk'


I once had a problem with my server executing php and the code was dumped
out to the screen.


So, php isn't that terribly secure if your server has a glitch.  So many
folks put their passwords right there in a file that can be dumped to the


In my current case I am using ajax because xmlhttp doesn't cross domains, I
didn't have a real security risk I believe from users call the php file
directly with data.  There would have to be a function call to execute the
php.  Without someone calling a function, nothing would happen.


If someone remotely embedded my php file remotely in their app, they could
have made a function call if they knew the name?


What does anyone know about linking a php file from another server?  I
haven't really tried it.  I don't think.  That would be my real concern.


The docs say the http_referer can not be trusted.  Plus, I didn't
even see it defined in my phpinfo.  I don't know if it's only defined if
there is an explicit statement to do so.  Do you know another way of
requiring that some php files are only called by an app in the same domain?


I'd like to either prevent a remote call to my php file in htaccess.  I was
thinking something like:


RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?wantedgaming\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .myfile\.php$ stub.php [L]

RewriteRule .myfile2\.php$ stub.php [L]

RewriteRule .myfile3\.php$ stub.php [L]


I was thinking I wanted to reinforce this inside the php file, but if
htaccess has it covered, it's probably a non-issue.


Does this look right?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the talk mailing list