On Tue, April 24, 2007 9:35 am, AraDaen wrote: > Im looking for info about a secure alternative to the use of > $_server['http_refere'] to check in a script from where are arriving > $_post vars. > > any suggestion? HTTP_REFERER is not even reliably sent on all browser, much less useful as a security device... So you're kind of like asking for a valid replacement of a bicycle chain used as an ice cream cone to start with... If you want to be certain that a user has come "from" a previous page, and you control the output of that page, it's pretty easy, really... You can generate a unique id (http://php.net/uniqid) and embed that in any FORM or A tags (or JS code) as well as in your DB, and then compare the token they send with what you have. It's no guarantee that somebody else didn't sniff the HTTP exchange and is spoofing that they are the original recipient, however... If you have no control over the previous' page HTML, there's nothing you can do at all, and HTTP_REFERER is pretty un-reliable. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
