Hello Pablo,

Thursday, April 8, 2004, 6:32:06 PM, you wrote:

PG> At any rate, if you're relying on HTTP_REFERER to make sure a script is
PG> being called from a certain location, I don't think it's very reliable.

PG> Does anyone have any ideas as to a workaround for this?

There are probably better, but I did come up with something
specifically for this a while ago:

Basically all form input went via a redirect script first.

Form 1 (in the users browser) submits everything to a PHP script that
does nothing but suck in all of the $_POST values and then itself
redirects this to the actual PHP processing script it was meant for.
It redirects using an HTTP header and POSTing all of the form values
it had received originally. When developing I used the Snoopy class to
handle this for me.

It works for 2 reasons (1) you ALWAYS know the IP address of the
script you are receiving the data from (because it's the same server*)
and (2) the redirect script can also add an extra POST variable that
identifies it is from a secure source (perhaps a private key, or md5
hash or similar). Or it could use your own HTTP headers or User Agent
for further checks.

* although it doesn't have to be

Downsides:

Your site is effectively processing all form data twice. Depending on
traffic/size of forms/etc this probably isn't desirable.

But, it does actually work and AFAIK cannot be easily spoofed.

-- 
Best regards,
 Richard Davey
 http://www.phpcommunity.org/wiki/296.html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to