what about checking the checking the remote ip address?
Jim
----- Original Message -----
From: "Chris Shiflett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, January 21, 2003 10:45 AM
Subject: Re: [PHP] Detecting posts from outside site
> --- [EMAIL PROTECTED] wrote:
> > If it's bulletproof, then I figured this could help
> > some of you out. If not, I welcome comments (I'm a
> > little bit hesitant of calling things 'bulletproof').
>
> It's not bulletproof. :-)
>
> > if((count($_POST) > 0) &&
> > (!stristr($_SERVER["HTTP_REFERER"],
> > $http_referer))) {
> > unset($_POST);
> > $evil = "postedfromoutsidepage";
> > }
>
> If this page is located at http://www.example.org/foo.php,
> and you are trying to ensure that the data is being posted
> from http://www.example.org/bar.php consider the following:
>
> --------------------
> # telnet www.example.org 80
> Trying 192.0.34.166...
> Connected to www.example.org (192.0.34.166).
> Escape character is '^]'.
> POST /foobar.php HTTP/1.1
> Host: www.example.org
> Referer: http://www.example.org/bar.php
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 26
>
> varname=any_value_i_choose
> --------------------
>
> Someone can use this method to bypass your Referer header
> check and post any data they choose.
>
> Chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
