/    Sign up×
Community /Pin to ProfileBookmark

‘HTTP_REFERER’ cant be trusted

Copy linkTweet thisAlerts:
Aug 24.2004

from php manual
Quote:

‘HTTP_REFERER’
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

how can any 1 modify the HTTP_REFERER ???
beacuse i want to check using this if the use is relly runing the php from my domain or not!
how can i check it?
thnaks in advance
peleg

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@solavarAug 24.2004 — The HTTP_REFERER is very easy to fake if someone uses cURL.

Take the following...

1: Your site: www.yoursite.com

2: My site: www.mysite.com

[code=php]

$ch = curl_init("http://www.yoursite.com/somefile.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $urlstring);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_REFERER, "http://www.yoursite.com/yourfile.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);

[/code]


When your server processes this request, it will think that the REFERER is:

www.yoursite.com/yourfile.php

So if you are thinking of using HTTP_REFERER to check whether or not a request is coming from outside, forget it.
Copy linkTweet thisAlerts:
@shimonAug 24.2004 — Or just telnet into port 80 of the host:

<i>
</i>GET / HTTP/1.1
Host: <a href="www.example.com">www.example.com</a>
Referer: <a href="http://www.someothersite.com">http://www.someothersite.com</a>



That sort of thing.
Copy linkTweet thisAlerts:
@Stephen_PhilbinAug 25.2004 — I take it sending a variable in a hidden $_POST somehow would be the best bet?
Copy linkTweet thisAlerts:
@shimonAug 26.2004 — It might be a solution in some cases - but it would be easier to 'fake' that than it would be to fake HTTP_REFERER.

Funny thing is, in 4 years working with PHP I 've never had occasion to run any check on the value of the referer - I would typically only ever use it for logging.

And so I can't help but wonder what pelgk1 means by:

i want to check using this if the use is relly runing the php from my domain or not![/quote]

Surely, if the PHP is running, it's running on your webserver, no? Or am I missing the point. Would be interested to know what you're trying to achieve.
Copy linkTweet thisAlerts:
@pelegk1authorAug 27.2004 — Surely, if the PHP is running, it's running on your webserver, no? Or am I missing the point. Would be interested to know what you're trying to achieve.
[/QUOTE]

well what i meant was :

i have a flash program that run's my domain!

now say the user toke the flash from the cache of its browser

opened it looked at the code and made his own new flash with the code i wrote and will calll the script that i call from the flash and actually hack what i am doing in the flash.

my point is : can i check that the user that accessthe script run it under my domain? and not from a flash software or by putting an html page on his desktop with an iframe and loading the page into the iframe and by that getting data!

can i in anyway check that the called script was from a browser under my domain and not from the browser running an html from desktop!

thnaks i nadvance

peleg
×

Success!

Help @pelegk1 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...