PHP http_referer Internet Explorer 7

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
waradmin
Forum Contributor
Posts: 240
Joined: Fri Nov 04, 2005 2:57 pm

PHP http_referer Internet Explorer 7

Post by waradmin »

Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning. What is another way to check that a form was submited from a desired source without using referer?

I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form. Any thoughts on how to secure a form without using referer?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Tokens are used quite often, but can suffer from injection as you've stated. Sessions can be used as well. Much harder for a user to tamper with.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Re: PHP http_referer Internet Explorer 7

Post by Burrito »

waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "".
that is not true. I'd check to make sure your script is correct.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

as a follow-up, I wouldn't rely on HTTP_REFERER anyway, but just to clarify, it does still work with IE 7.
User avatar
waradmin
Forum Contributor
Posts: 240
Joined: Fri Nov 04, 2005 2:57 pm

Post by waradmin »

Well here is the code:

Code: Select all

$referer = $_SERVER['HTTP_REFERER'];
		if ($referer != "http://www.somthing.org/hm/beta/messages.php")
		{
			echo "You cannot do that!";
			echo "$referer";
			exit();			
		}
Here is the result in IE 7:
You cannot do that!
Here is the result in firefox:
If it works in IE 7, explain why it doesnt display anything.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Echo the referrer outside your if, so you can see what it looks like no matter what happens...
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

I just tested with this:

test.php

Code: Select all

<?
if(isset($_SERVER['HTTP_REFERER']))
	echo $_SERVER['HTTP_REFERER'];
	
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title>Untitled</title>
</head>

<body>
<a href="test.php">here</a>


</body>
</html>

my result in both FF and IE wrote: http://localhost/test.php here
User avatar
waradmin
Forum Contributor
Posts: 240
Joined: Fri Nov 04, 2005 2:57 pm

Post by waradmin »

Well also I am in windows vista that may be doing it because it isnt working.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

waradmin wrote:Well also I am in windows vista that may be doing it because it isnt working.
Using Beta software will often result in strange quirks and problems that will be impossible for anyone to diagnose and fix. Use a finished operating system if you want predictable results.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: PHP http_referer Internet Explorer 7

Post by timvw »

waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning.
Your website still works, but the mistake in your reasoning that the header would always be there just became more obvious.
waradmin wrote: What is another way to check that a form was submited from a desired source without using referer?
You'll have to generate a token (but you have to make sure the tokens can't be guessed... basically, you would end up implementing something like sessions.. )suggestion: simply use sessions and store the requests in there... This way you can easily verify the pages the user has visited. Notice that it's still possible to automate these requests...
waradmin wrote: I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form.
Since you're sending values to the client, it would be a mistake to assume they're not going to see it. What you really would have to do is make sure that they can't predict the value you're going to send them... And when they give you a value, you should be able to verify if it was really a value that you generated...
waradmin wrote: Any thoughts on how to secure a form without using referer?
For that you would have to define 'secure' first.
Post Reply