Help with simple email script please

#1 July 17th, 2005, 10:57 AM

Hi

I have used the following script within a simple form email to prevent the form
being used from an external url.
<?php
$referer = $_SERVER['HTTP_REFERER'];
// Get the URL of this page
$myurl= "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
// If the referring URL and the URL of this page don't match then
// display a message and don't send the email.
if ($referer != $myurl) {
echo "You do not have permission to use this script from another URL.</br>";
echo "Referer = $referer </br>";
echo "This url = $myurl</br>";
exit;
}
?>
I added the last 2 echo statements to see why there was always a mismatch and
the email was never sent and found that:
$referer = http://mydomain/myemailscript.php
while
$myurl = http://mydomain

I can easily get round the problem by amending as follows:

$myurl=$myurl . "/myemailscript.php" but is this correct? Is
$_SERVER['HTTP_REFERER'] returning correctly?

Regards
Dynamo

#2 July 17th, 2005, 10:58 AM

I have found that $_SERVER[HTTP_REFERRER] is not very reliable. I also
came across a document or two that also stated the referrer variable is
not reliable.

$myurl could be more reliable if you use:

if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] =
$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];
}

$myurl =
"http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];

A great resource:
http://us2.php.net/reserved.variables

This is one I use:
$page = $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
if (!eregi($page, $_SERVER['HTTP_REFERER'])){
echo "You are not authorized...";
}

function eregi() helps to find the important "needle" in the string
http://us2.php.net/manual/en/function.eregi.php

#3 July 17th, 2005, 10:58 AM

I have found that $_SERVER[HTTP_REFERRER] is not very reliable. I also
came across a document or two that also stated the referrer variable is
not reliable.

$myurl could be more reliable if you use:

if (!isset($_SERVER['REQUEST_URI'])) {
$_SERVER['REQUEST_URI'] =
$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];
}

$myurl =
"http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];

A great resource:
http://us2.php.net/reserved.variables

This is one I use:
$page = $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
if (!eregi($page, $_SERVER['HTTP_REFERER'])){
echo "You are not authorized...";
}

function eregi() helps to find the important "needle" in the string
http://us2.php.net/manual/en/function.eregi.php

#4 July 17th, 2005, 10:58 AM

In article <1102785588.908212.108970@z14g2000cwz.googlegroups .com>, iMedia wrote:[color=blue]
> I have found that $_SERVER[HTTP_REFERRER] is not very reliable. I also
> came across a document or two that also stated the referrer variable is
> not reliable.
>
> $myurl could be more reliable if you use:
>
> if (!isset($_SERVER['REQUEST_URI'])) {
> $_SERVER['REQUEST_URI'] =
> $_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];
> }
>[/color]

following this group, i once saw this one:

function geturl()
{
$ports = array('https' => 443, 'http' => 80);
$prefix = empty($_SERVER['HTTPS']) ? 'http' : 'https';
$url = $prefix;
$url .= $_SERVER['SERVER_PORT'] != $ports[$prefix] ? ':' . $_SERVER['SERVER_PORT'] : '';
$url .= '://';
$url .= $_SERVER['HTTP_HOST'];
$url .= $_SERVER['REQUEST_URI'];
return $url;
)

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://www.timvw.info>

What is Bytes?

Popular Articles