Problem with form mailing script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cripes
Forum Newbie
Posts: 8
Joined: Sat Mar 19, 2005 5:16 am

Problem with form mailing script

Post by cripes »

On my php form-mailing script, I use a simple check to be sure that the form is not being hijacked by a pirate or spammer:

Code: Select all

$referer = $_SERVER['HTTP_REFERER']; 
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]; 
if ($referer!= $this_url) { 
echo "You do not have permission to use this script from another URL."; 
} 
else { 
code that sends the message! 
}
I'm getting complaints that this form won't work for anyone who has installed Norton Firewall or similar products, that hide the referrer.

Is there a workaround here?
Or another way to restrict use of the form script?


feyd | Please review how to post code using

Code: Select all

and

Code: Select all

tags. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

simply pass a POST var and check for it instead of checking for referrer as this thing doesn't always exist and is rather unreliable.
cripes
Forum Newbie
Posts: 8
Joined: Sat Mar 19, 2005 5:16 am

Post by cripes »

n00b Saibot wrote:simply pass a POST var and check for it instead of checking for referrer as this thing doesn't always exist and is rather unreliable.
Thanks! - that would be a solution.

But then again, it wouldn't be as robust a check for a malicious user pirating the form, since all they'd have to do is integrate the same POST var. :(
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

Then sessions may be it.
cripes
Forum Newbie
Posts: 8
Joined: Sat Mar 19, 2005 5:16 am

Post by cripes »

Then sessions may be it.
ah-hah! I hadn't thought of that! :)

What do most people/sites do for this??
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

they keep track of the people thru sessions and when mailing it check for the same sessions tracking vars. if they exist go ahead and mail it. if they don't then, hey buzz off! ;)
Post Reply