PHP http_referer Internet Explorer 7
Moderator: General Moderators
PHP http_referer Internet Explorer 7
Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning. What is another way to check that a form was submited from a desired source without using referer?
I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form. Any thoughts on how to secure a form without using referer?
I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form. Any thoughts on how to secure a form without using referer?
Re: PHP http_referer Internet Explorer 7
that is not true. I'd check to make sure your script is correct.waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "".
Well here is the code:
Here is the result in IE 7:
Code: Select all
$referer = $_SERVER['HTTP_REFERER'];
if ($referer != "http://www.somthing.org/hm/beta/messages.php")
{
echo "You cannot do that!";
echo "$referer";
exit();
}Here is the result in firefox:You cannot do that!
If it works in IE 7, explain why it doesnt display anything.You cannot do that!http://www.something.org/hm/beta/messag ... on=friends
I just tested with this:
test.php
test.php
Code: Select all
<?
if(isset($_SERVER['HTTP_REFERER']))
echo $_SERVER['HTTP_REFERER'];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<a href="test.php">here</a>
</body>
</html>my result in both FF and IE wrote: http://localhost/test.php here
Re: PHP http_referer Internet Explorer 7
Your website still works, but the mistake in your reasoning that the header would always be there just became more obvious.waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning.
You'll have to generate a token (but you have to make sure the tokens can't be guessed... basically, you would end up implementing something like sessions.. )suggestion: simply use sessions and store the requests in there... This way you can easily verify the pages the user has visited. Notice that it's still possible to automate these requests...waradmin wrote: What is another way to check that a form was submited from a desired source without using referer?
Since you're sending values to the client, it would be a mistake to assume they're not going to see it. What you really would have to do is make sure that they can't predict the value you're going to send them... And when they give you a value, you should be able to verify if it was really a value that you generated...waradmin wrote: I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form.
For that you would have to define 'secure' first.waradmin wrote: Any thoughts on how to secure a form without using referer?