[nycphp-talk] Returning users from whiniest they came
Steve Manes
smanes at magpie.com
Fri Jul 11 11:03:13 EDT 2008
Daniel Convissor wrote:
> You misunderstand what http referer does. In addition, be careful of
> what some other folks have posted in this thread, they're
> misunderstanding your situation, so may confuse you further.
>
> Here are several key points:
>
> * it is set by the browser
> * it gets sent in the HTTP headers when requesting a page
> * it indicates the URI a hyperlink was found on
Daniel's #1 is an important point and one reason why I avoid relying on
HTTP_REFERER at almost all costs. Because the browser sends this it
means it can be spoofed. Worst case, it's like allowing a potentially
tainted global variable into your application unless you're very careful
about vetting it.
In my pre-PHP days, in fact my very early web days circa 1995, my web
server got hacked because of a cleverly configured, spoofed HTTP_REFERER
I was using to regulate access to a vintage motorcycle image archive and
provide a back link. I learned a lotta security lessons from that
episode, including not to trust ANYTHING the browser hands me.
More information about the talk
mailing list