Jump to content

Recommended Posts

Following is written in php manual:

'HTTP_REFERER'

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

 

'It cannot really be trusted', is it true?

Correct, it cannot be trusted and it should not be used for anything other than logging purposes.

 

It is just a header that is sent with the HTTP request. It can be set to anything and in fact web proxy scripts, such as phpproxy, set it to the domain in the URL that is being requested. There is no guarantee that if it matches your domain that the request came from someone who already visited one of your web pages.

 

If you want to test if a form submission came from someone or a bot script that at least visited your form page, you need to set a session variable on your form page and test if that session variable exists in your form processing code. Unset the session variable in the form processing code to prevent a bot script from visiting your form page once and making multiple submissions to your form processing code.

Correct, it cannot be trusted and it should not be used for anything other than logging purposes.

 

It is just a header that is sent with the HTTP request. It can be set to anything and in fact web proxy scripts, such as phpproxy, set it to the domain in the URL that is being requested. There is no guarantee that if it matches your domain that the request came from someone who already visited one of your web pages.

 

If you want to test if a form submission came from someone or a bot script that at least visited your form page, you need to set a session variable on your form page and test if that session variable exists in your form processing code. Unset the session variable in the form processing code to prevent a bot script from visiting your form page once and making multiple submissions to your form processing code.

 

Thank you. This is the better idea.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.