Thanks for the info. I've modified the script to reflect that. I
actually ended up reversing it, and so I used !== 0 which should work
just the same.
All this is a minor portion of a much larger security scheme for an
intranet site (which is protected by an LDAP server), where I am just
trying to keep images outside the web directory, and want to prevent
people from linking directly to an image... the only way an image
displays is if they view the page, and not link directly to the
image. Not foolproof, I know, but I'm not dealing with the general
population here, just internal employees some of whom are more
computer savvy than others.
Thanks all for your help. It seems to be working now.
--
Kevin Murphy
Webmaster: Information and Marketing Services
Western Nevada College
www.wnc.edu
775-445-3326
P.S. Please note that my e-mail and website address have changed from
wncc.edu to wnc.edu.
On Oct 2, 2007, at 8:32 AM, Andrew Ballard wrote:
I'd suggest the following *slight* enhancement to make sure that the
HTTP_REFERER actually *begins* with the site name, not simply contains
it.
// prevents visits from pages like
http://badsite.com/form.htm?http://www.wnc.edu
if (strpos($referer, $site) === 0)
{
echo 'yes';
}
(or, if you like the preg solution)
if (preg_match("%^$site%", $referer))
{
//....
}
However, I'd argue that the effectiveness of checking the referrer
itself could be considered "negligible", and hardly "foolproof". The
header is easily spoofed in scripts, and may not even be sent at all
by legitimate clients because of various browser and/or personal
firewall options.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
