HEP! Variable Matching to prevent misuse.

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • GH HM
    #1

    HEP! Variable Matching to prevent misuse.

    Ok, bear with me...i'm not sure if my working is correct here but see if you
    can understand what I am trying to do here...

    We have a php script that processes some form data and deposits it into a
    mysql database and emails the contact information to our sales team.

    I want to protect the script from being called from anyplace other than the
    URL in which the form is on.

    My thinking was that if i did a if/elseif check to verify that $HTTP_REFERER
    is equal to the URL of the script that i would be in good shape....and i
    think it will be except i can't seem to get it to work.

    what I have right now is

    if ($HTTP_REFERER = "http://domain.com/formurl") {
    main script is excecuted ( about 30 lines of code, basic stuff)
    } else {
    echo "Execution of this script is not allowed outside of our domain; }

    now what appears to be happening is that $HTTP_REFERER is always set to
    http://domain.com/formurl even i call the script directly and my browser is
    on yahoo....it appears to be setting the enviroment variable for me instead
    of checking it.

    Any help in fixing this most basic problem would be appreciated.

    Oh i'm using php 4.3.2

    Cheers,

    Gary


    Tags: None
    • Jon Kraft
      #2
      Re: HEP! Variable Matching to prevent misuse.

      GH HM <garyhartl@hotm ail.com> wrote:
      [color=blue]
      > We have a php script that processes some form data and deposits it into a
      > mysql database and emails the contact information to our sales team.
      >
      > I want to protect the script from being called from anyplace other than
      > the URL in which the form is on.
      >
      > My thinking was that if i did a if/elseif check to verify that
      > $HTTP_REFERER is equal to the URL of the script that i would be in good
      > shape....and i think it will be except i can't seem to get it to work.
      >
      > what I have right now is
      >
      > if ($HTTP_REFERER = "http://domain.com/formurl") {
      > main script is excecuted ( about 30 lines of code, basic stuff)
      > } else {
      > echo "Execution of this script is not allowed outside of our domain; }[/color]

      Hi Gary,
      First of all you probably have register_global s off, so it's:
      $_SERVER['HTTP_REFERER'];

      Secondly, you assign the value there, you don't compare:

      if ($_SERVER['HTTP_REFERER'] == "http://domain.com/formurl") {

      And finally, the problem is not all browsers actually send the referer, so
      the submission would then actually fail.

      A better solution would be setting a session variable on the form page,
      which would be hard to fake.

      HTH;
      JOn

        Comment

        Previous template Next
        Working...