I wrote a script to handle a form submission and thought I'd cleverly prevent hackers and spammers from abusing it using $_SERVER[HTTP_REFERER]. It goes a little something like this:
Code: Select all
$here = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/' ;
if($_POST['submit'] && !ereg('^'.$here.'.*$', $_SERVER[HTTP_REFERER])) {
/*output error message and log error*/;
} else {
/*submit the form*/
}See it here: http://us2.php.net/manual/en/reserved.variables.phpHTTP_REFERER: The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
So my logging mechanism gets $_SERVER[HTTP_USER_AGENT] from the user because I want to know what browsers people are using that are causing the error. So far I've gotten just one (the logging feature is new), but I don't know what in tarnation it means:
Can anyone decipher that? Does anyone know if there is a list somewhere of browsers that don't support HTTP_REFERER?Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322)
OK, and lastly... I guess best practice would be to stop using HTTP_REFERER for this purpose. Does anyone have a favorite way of preventing their forms from being duped?
Thanks!