Member Avatar for Meonia

Hi,
I'm doing a check against HTTP_REFERER after a simple form is submitted, just as an additional security measure. What's happening is that the check always fails when the script is running on the remote server, but works as intended if I test it on my localhost server.

Here's the simplified code:

if (isset($_POST['submit'])) {
	$referer = getenv("HTTP_REFERER");
	if (strtolower(substr($referer,0,17)) != "http://foobar.com") 
		die("Invalid Referer");

	// else do form processing
}

This always gives "Invalid Referer" even when the substr match is exact - I've echoed the referer to make sure it's what I was expecting, and I've double checked the length for the real referer url used.

If I just change the substring tested to "http://localhost/" and run the script on my localhost server it works properly and this gets past the check:

I can't work out why this isn't working on the remote server - any ideas?

Thanks.

  • 3 Contributors
  • 3 Replies
  • 218 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by Meonia

Recommended Answers

All 3 Replies

Member Avatar for sv3tli0

try to echo the $referer string before the last check .. See what it will show you

Member Avatar for eXpertPHP

The explanation of $_SERVER from http://php.net/manual/en/reserved.variables.server.php

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

To check if is set, just use:

<?php echo isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'Referer is not set'; ?>

Note: the user may have the abilities to disable/modify referer value from browser/navigator/agent, because referer value is optional, and not a standard/required value.

Edited by eXpertPHP because: n/a
Member Avatar for Meonia

Thanks guys. I feel like a complete plank now and found out what was wrong ... you know what it's like when you get so caught up in something you don't spot the obvious!! Because of how I'd been testing things, I realised I wasn't using the www prefix, but was testing as if I was DOH!

I put it down to overwork and lack of sleep!!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.