NYCPHP Meetup

NYPHP.org

[nycphp-talk] Forms & Refresh Question & General Form Security

Pinyo Bhulipongsanon pinyo at nyc.rr.com
Fri May 16 16:04:41 EDT 2003


Chris,

Thank you for you comment. What are some of the browsers that do not support
http_referrer?

Pinyo


----- Original Message ----- 
From: "Chris Shiflett" <shiflett at php.net>
To: "NYPHP Talk" <talk at nyphp.org>
Sent: Friday, May 16, 2003 2:30 PM
Subject: RE: [nycphp-talk] Forms & Refresh Question & General Form Security


> --- "Bhulipongsanon, Pinyo" <Pinyo.Bhulipongsanon at usa.xerox.com> wrote:
> > > You do realize you're basically trusting the user with the value of
> > > status, right? I hope you're not using that for anything important.
> >
> > First, can't we improve this with session variable instead of $_GET
> > variable?
>
> Yes, good suggestion.
>
> > Second, you can always check for a valid $HTTP_REFERRER
>
> The Referer header is not required by the HTTP specification, even in 1.1,
so
> relying on that is not necessarily a good idea. You will basically render
your
> application useless to any Web client that does not provide this
*optional*
> HTTP header. If you want to do that, it's fine, so long as you are taking
that
> caveat into consideration.
>
> Chris
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>
>




More information about the talk mailing list