shane07 Posted June 18, 2009 Share Posted June 18, 2009 Can anybody explain which server variable contains the full path of the file that is being posted to current page? Actually I want to check if the form is being submitted through same domain or not. Quote Link to comment https://forums.phpfreaks.com/topic/162716-need-some-help-with-server-variables/ Share on other sites More sharing options...
RussellReal Posted June 18, 2009 Share Posted June 18, 2009 $_SERVER['HTTP_REFERER'] Quote Link to comment https://forums.phpfreaks.com/topic/162716-need-some-help-with-server-variables/#findComment-858699 Share on other sites More sharing options...
shane07 Posted June 18, 2009 Author Share Posted June 18, 2009 Following is written in php manual: 'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted. 'It cannot really be trusted', is it true? Quote Link to comment https://forums.phpfreaks.com/topic/162716-need-some-help-with-server-variables/#findComment-858702 Share on other sites More sharing options...
PFMaBiSmAd Posted June 18, 2009 Share Posted June 18, 2009 Correct, it cannot be trusted and it should not be used for anything other than logging purposes. It is just a header that is sent with the HTTP request. It can be set to anything and in fact web proxy scripts, such as phpproxy, set it to the domain in the URL that is being requested. There is no guarantee that if it matches your domain that the request came from someone who already visited one of your web pages. If you want to test if a form submission came from someone or a bot script that at least visited your form page, you need to set a session variable on your form page and test if that session variable exists in your form processing code. Unset the session variable in the form processing code to prevent a bot script from visiting your form page once and making multiple submissions to your form processing code. Quote Link to comment https://forums.phpfreaks.com/topic/162716-need-some-help-with-server-variables/#findComment-858705 Share on other sites More sharing options...
shane07 Posted June 18, 2009 Author Share Posted June 18, 2009 Correct, it cannot be trusted and it should not be used for anything other than logging purposes. It is just a header that is sent with the HTTP request. It can be set to anything and in fact web proxy scripts, such as phpproxy, set it to the domain in the URL that is being requested. There is no guarantee that if it matches your domain that the request came from someone who already visited one of your web pages. If you want to test if a form submission came from someone or a bot script that at least visited your form page, you need to set a session variable on your form page and test if that session variable exists in your form processing code. Unset the session variable in the form processing code to prevent a bot script from visiting your form page once and making multiple submissions to your form processing code. Thank you. This is the better idea. Quote Link to comment https://forums.phpfreaks.com/topic/162716-need-some-help-with-server-variables/#findComment-858713 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.