I'm doing a check against HTTP_REFERER after a simple form is submitted, just as an additional security measure. What's happening is that the check always fails when the script is running on the remote server, but works as intended if I test it on my localhost server.

Here's the simplified code:

if (isset($_POST['submit'])) {
	$referer = getenv("HTTP_REFERER");
	if (strtolower(substr($referer,0,17)) != "http://foobar.com") 
		die("Invalid Referer");

	// else do form processing

This always gives "Invalid Referer" even when the substr match is exact - I've echoed the referer to make sure it's what I was expecting, and I've double checked the length for the real referer url used.

If I just change the substring tested to "http://localhost/" and run the script on my localhost server it works properly and this gets past the check:

I can't work out why this isn't working on the remote server - any ideas?


try to echo the $referer string before the last check .. See what it will show you

The explanation of $_SERVER from http://php.net/manual/en/reserved.variables.server.php

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

To check if is set, just use:

<?php echo isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'Referer is not set'; ?>

Note: the user may have the abilities to disable/modify referer value from browser/navigator/agent, because referer value is optional, and not a standard/required value.

Thanks guys. I feel like a complete plank now and found out what was wrong ... you know what it's like when you get so caught up in something you don't spot the obvious!! Because of how I'd been testing things, I realised I wasn't using the www prefix, but was testing as if I was DOH!

I put it down to overwork and lack of sleep!!