Username: Posted September 23, 2010 Share Posted September 23, 2010 I've tried this: <?php $xsblock = $_SERVER['HTTP_REFERER']; $url = "testchan"; $pos = strpos($xsblock, $url); if ($pos == false) { die(); } else { echo "content content content content content content content content"; } ?> How can I do this correctly? Thanks in advance! Quote Link to comment Share on other sites More sharing options...
joel24 Posted September 23, 2010 Share Posted September 23, 2010 should work, the $_SERVER['http_referer'] must not be getting set... i.e. try this //print $_server variables to see that the referer is being set. print_r($_SERVER); //test code $xsblock = "http://www.bob.com/testchan"; $url = "testchan"; $pos = strpos($xsblock, $url); if ($pos == false) { echo "not found"; } else { echo "found"; } Quote Link to comment Share on other sites More sharing options...
Username: Posted September 23, 2010 Author Share Posted September 23, 2010 should work, the $_SERVER['http_referer'] must not be getting set... i.e. try this //print $_server variables to see that the referer is being set. print_r($_SERVER); //test code $xsblock = "http://www.bob.com/testchan"; $url = "testchan"; $pos = strpos($xsblock, $url); if ($pos == false) { echo "not found"; } else { echo "found"; } It works fine, but anyone can easily put testchan in the url lol. Was just wondering if there's a better method of doing it. Sorry, should've said that in the original post Quote Link to comment Share on other sites More sharing options...
Username: Posted September 24, 2010 Author Share Posted September 24, 2010 How could I do something like this? $xsblock = $_SERVER['HTTP_REFERER']; $url = array('testchan.','/testchan'); $pos = strpos($xsblock, $url); if ($pos == false) { die("no"); } else { echo "content content content content content content"; } Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 24, 2010 Share Posted September 24, 2010 HTTP_REFERER provides no real security. Web proxy scripts and spam bot scripts set it to match the site being requested. You would need to set a session variable when your form is produced and check that it is set in the form processing code. Unset the session variable in your form processing code so that only one submission can be made for each visit to the form. This will at least require that something visits your form before submitting to your form processing code and supports passing the session id between pages. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted September 24, 2010 Share Posted September 24, 2010 What exactly are you trying to accomplish here? Quote Link to comment Share on other sites More sharing options...
Username: Posted September 24, 2010 Author Share Posted September 24, 2010 What exactly are you trying to accomplish here? really?.. Quote Link to comment Share on other sites More sharing options...
Username: Posted September 24, 2010 Author Share Posted September 24, 2010 i'm blocking cross-site posting or url-malforming posting etc Cause from the posting script page, I can do something like "www.url.com/post.php?body=TEXT1&name=TEXT2&submit=Submit" and spam it in the address bar and mega-post nevermind, just gonna implement recaptcha. This was fun to mess around with. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted September 24, 2010 Share Posted September 24, 2010 What exactly are you trying to accomplish here? really?.. Yes, really. As PFMaBiSmAd pointed out HTTP_REFERER can be faked so provides no real security. There are different ways in which someone can perform cross-site attacks and which method you're trying to prevent will guide the solution you use. Quote Link to comment Share on other sites More sharing options...
Username: Posted September 24, 2010 Author Share Posted September 24, 2010 What exactly are you trying to accomplish here? really?.. Yes, really. As PFMaBiSmAd pointed out HTTP_REFERER can be faked so provides no real security. There are different ways in which someone can perform cross-site attacks and which method you're trying to prevent will guide the solution you use. I realize that a referrer can be spoofed. Why do you think I just decided to use reCAPTCHA? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.