473,480 Members | 1,901 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

HEP! Variable Matching to prevent misuse.

Ok, bear with me...i'm not sure if my working is correct here but see if you
can understand what I am trying to do here...

We have a php script that processes some form data and deposits it into a
mysql database and emails the contact information to our sales team.

I want to protect the script from being called from anyplace other than the
URL in which the form is on.

My thinking was that if i did a if/elseif check to verify that $HTTP_REFERER
is equal to the URL of the script that i would be in good shape....and i
think it will be except i can't seem to get it to work.

what I have right now is

if ($HTTP_REFERER = "http://domain.com/formurl") {
main script is excecuted ( about 30 lines of code, basic stuff)
} else {
echo "Execution of this script is not allowed outside of our domain; }

now what appears to be happening is that $HTTP_REFERER is always set to
http://domain.com/formurl even i call the script directly and my browser is
on yahoo....it appears to be setting the enviroment variable for me instead
of checking it.

Any help in fixing this most basic problem would be appreciated.

Oh i'm using php 4.3.2

Cheers,

Gary
Jul 17 '05 #1
1 1724
GH HM <ga*******@hotmail.com> wrote:
We have a php script that processes some form data and deposits it into a
mysql database and emails the contact information to our sales team.

I want to protect the script from being called from anyplace other than
the URL in which the form is on.

My thinking was that if i did a if/elseif check to verify that
$HTTP_REFERER is equal to the URL of the script that i would be in good
shape....and i think it will be except i can't seem to get it to work.

what I have right now is

if ($HTTP_REFERER = "http://domain.com/formurl") {
main script is excecuted ( about 30 lines of code, basic stuff)
} else {
echo "Execution of this script is not allowed outside of our domain; }


Hi Gary,
First of all you probably have register_globals off, so it's:
$_SERVER['HTTP_REFERER'];

Secondly, you assign the value there, you don't compare:

if ($_SERVER['HTTP_REFERER'] == "http://domain.com/formurl") {

And finally, the problem is not all browsers actually send the referer, so
the submission would then actually fail.

A better solution would be setting a session variable on the form page,
which would be hard to fake.

HTH;
JOn
Jul 17 '05 #2
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
15950
Hep req. with PHP and MySQL - simple guestbook
by: Dariusz | last post by:
I am a beginner in PHP and MySQL, and am working through a book and various online tutorials on PHP and MySQL and now stuck - installed everything on "localhost" and it all works fine. My question...
PHP
3
1023
Any suggestions for a Unified Information Manager ?
by: Paul Sweeney | last post by:
Does anyone know of a tool (python, obviously ;-) for managing ALL your information needs in one place? I'm talking about contacts,email, ICQ/MSN, Website favourites, RSS, To-do lists,...
Python
0
3172
Query optimization
by: Morten | last post by:
Hi, I have a table, mytable (id number, refid varchar2(64), clob text) where refid (a project identifier, identifies N records in mytable) is FK to another table and id is PK. I wish to...
Oracle Database
5
1204
function to simplify data
by: windandwaves | last post by:
Hi Folk I seem to be writing the following a lot (this is just one of many examples): $sql = 'SELECT `ID`, `NAM` FROM HEP ORDER BY `ID`'; $query = mysql_query($sql); while($row =...
PHP
0
746
Hep with COM Object Please...
by: Manuel Canas | last post by:
This is the code in VB6 to get the DragOver Event to fired up once and object get on top of the OCX Object. Private Sub TestCOM_DragOver(Source As Control, X As Single, Y As Single, State As...
Visual Basic .NET
5
1848
Filestream or FileGet?
by: vvenk | last post by:
Hello: I am trying to read the contents of a file that be either be binary or text. I would like to know which is better, Filestream or FileGet? Thanks. Venkat
Visual Basic .NET
4
3155
vector of vector of vectors
by: Creighton Hogg | last post by:
Hi, I'm having a problem that's driving me nuts right now. I wanted to represent data as a vector<vector<vector<unsigned short> > > Now I've been having alot of trouble initializing and...
C / C++
1
1145
Hep with a delete Query.
by: JHNielson | last post by:
I have two Tables - and the both have fields I want to find records in ERR_REC that match ones in STG_INPT and delete those records from ERR_REC I have used the following query: DELETE...
Microsoft Access / VBA
4
1381
Hep
by: Manmeet | last post by:
Hi, Problem is regarding the global variables. I am running an win32 EXE created using VS2005 which in turn use many DLL's which inturn are using static library (abc.LIB). Now when I create a...
C / C++
7
1715
Counting using different criteria
by: Mysterydave | last post by:
Hi, I have a table of applications including what someone's applied for, which year, what type of applicant they are, and progress of the application etc. I want to be able to break this down...
Microsoft Access / VBA
0
7037
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
6904
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7032
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
6873
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5321
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4767
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
1294
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
1
558
muto222
php
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
174
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us