swshaun Posted August 12, 2007 Share Posted August 12, 2007 Hello there folks, This is my first time at posting here, so a big hello to everyone... I am kind of a beginner to this, so please be gentle with me ;D Right, to business... I am in the process of writing a CMS from scratch which uses PHP5.0.2 and MySQL. What I have is a script which generates a batch of "UPDATE <table> SET <amedment> WHERE <criteria>" for amendment to my databases. Output from other scripts via POST data is taken to build the statements. Now what I want is a simple way of displaying a message which is subject to referring page. I had toyed with the idea of using $_SERVER['HTTP_REFERER'];, however reading the threads and other forums forewarns against using this due to the security risk. My code checks for the existence of POST data to begin with (otherwise the statements can not be built), so was wondering if using the method mentioned above would be acceptable as there would be no benefit in feigning the headers in the first place, it would get the hacker/spammer nowhere. If there are any other security risks in doing this the please enlighten me. Thanks in advance Shaun Quote Link to comment https://forums.phpfreaks.com/topic/64514-http-refer-header/ Share on other sites More sharing options...
Wuhtzu Posted August 12, 2007 Share Posted August 12, 2007 I know people, my self included, tend to call it a security risk but actually I think it's the wrong word to use. Using $_SERVER['HTTP_REFERER'] in your code wont allow anyone to take control of your server, execute malicious code or anything like that. All it does is to hold the http referer header which is sent by the user agent and possibly manipulated by the user. So the only security risks you deal with are the ones you create your self by thoughtless use of $_SERVER['HTTP_REFERER']. For example it would be stupid to create a login system based on this header since it can be manipulated, but if you do something like this: <?php $http_referer = $_SERVER['HTTP_REFERER']; if($http_referer) { echo "This page referred you here: " . $http_referer"; } else { echo "No page referred you here"; } ?> there obviously is no problem since the user can't gain anything from manipulating the header. If you want more specific opinions on the security of your project or code please post it Quote Link to comment https://forums.phpfreaks.com/topic/64514-http-refer-header/#findComment-321599 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.