I'd suggest the following *slight* enhancement to make sure that the HTTP_REFERER actually *begins* with the site name, not simply contains it. // prevents visits from pages like http://badsite.com/form.htm?http://www.wnc.edu if (strpos($referer, $site) === 0) { echo 'yes'; } (or, if you like the preg solution) if (preg_match("%^$site%", $referer)) { //.... } However, I'd argue that the effectiveness of checking the referrer itself could be considered "negligible", and hardly "foolproof". The header is easily spoofed in scripts, and may not even be sent at all by legitimate clients because of various browser and/or personal firewall options. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
