On Thu, 2004-04-08 at 13:54, Richard Davey wrote: > Hello Pablo, > > Thursday, April 8, 2004, 6:32:06 PM, you wrote: > > PG> At any rate, if you're relying on HTTP_REFERER to make sure a script is > PG> being called from a certain location, I don't think it's very reliable. > > PG> Does anyone have any ideas as to a workaround for this? > > There are probably better, but I did come up with something > specifically for this a while ago: > > Basically all form input went via a redirect script first. > > Form 1 (in the users browser) submits everything to a PHP script that > does nothing but suck in all of the $_POST values and then itself > redirects this to the actual PHP processing script it was meant for. > It redirects using an HTTP header and POSTing all of the form values > it had received originally. When developing I used the Snoopy class to > handle this for me. > > It works for 2 reasons (1) you ALWAYS know the IP address of the > script you are receiving the data from (because it's the same server*) > and (2) the redirect script can also add an extra POST variable that > identifies it is from a secure source (perhaps a private key, or md5 > hash or similar). Or it could use your own HTTP headers or User Agent > for further checks. > > * although it doesn't have to be > > Downsides: > > Your site is effectively processing all form data twice. Depending on > traffic/size of forms/etc this probably isn't desirable. > > But, it does actually work and AFAIK cannot be easily spoofed.
I don't think this works in general. For instance some ISPs can have the user's IP change between page requests (incuding redirects). AOL is an example of such and ISP. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
