NYCPHP Meetup

NYPHP.org

[nycphp-talk] Returning users from whiniest they came

csnyder chsnyder at gmail.com
Fri Jul 11 11:13:28 EDT 2008


On Fri, Jul 11, 2008 at 11:03 AM, Steve Manes <smanes at magpie.com> wrote:

> Daniel's #1 is an important point and one reason why I avoid relying on
> HTTP_REFERER at almost all costs.  Because the browser sends this it means
> it can be spoofed.  Worst case, it's like allowing a potentially tainted
> global variable into your application unless you're very careful about
> vetting it.

In the case that Paul is describing it's okay to trust it _as much as
you would trust any other user-submitted value_. You should always
html_entities encode a referer when displaying it on a page, just like
any other value in $_SERVER, $_GET, $_POST, or $_COOKIE.

Granted, there are all kinds of reasons not to provide back links.
Users aren't really expecting them, the referer is not always going to
be there, and it potentially leaves your site open to Google abuse,
because suddenly your site has links back to anybody else's website.

But at the end of the day if you want to redirect people back to where
they came from (like Paypal does, for instance, after you make a
payment), you have no choice but to rely on the referer.



More information about the talk mailing list