>There is no substitute for good data verification such as strip_tags() or
>some regular expressions to limit valid input. I also would recomend
>checking the referrer to be sure someone doesn't hijack you form and try to
>modify it and submit it from a remote location. Here is an example:
>
>if (validReferrer() === false)
> die("invalid referrer");
>
>function validReferrer()
>{
> $_valid_referrers =
>array("www.yoursite.com","www2.yoursite.com","yoursite.com");
> $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
> $ref = explode('/', $referer);
> if ( in_array($ref[1], $_valid_referrers) )
> return true;
> else
> return false;
>}
That is a good idea.
$_SERVER['HTTP_REFERER'] is the web server identifier, right?
My web server is 10.0.0.5 from the internal LAN.
I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me that it
would be easy enough to configure a strange box
to imitate 10.0.0.5.
Can I somehow check that the HTTP_REFERER = localhost?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
