> I have a php program which executes a heavy mysql query upon request. > Normally, it should not be requested too often, but I am afraid > malicious user trying to massively call this program. I am considering > to use $HTTP_REFERER to restrict the connection source, but is it worth > trusting? Is it possible for a hacker to make an identical $HTT_REFERER > in the header? I have no idea how $HTTP_REFERER is made, is it made from > the http client and put in the http header? > > If I can't trust $HTTP_REFERER, how can I deny malicious attack like > that?
An HTTP_REFERER header is sent by the client browser...which means it is mimicable (and quite easily I might add). Although adding HTTP_REFERER restrictions to a script may add a small bit of security against script kiddies it by no means is a true method of defence against hackers. The best thing you can do is temporarily record the IPs of connections to your script, and then block IPs that connect to the script too often directly from your routing table. It doesn't necessarily stop those using proxies but definately is more reliable than an HTTP_REFERER protection scheme. Sincerely, Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
