Posted by Kevin D. on 02/11/06 01:55

"Skeets" <skillet3232@yahoo.com> wrote in message
news:1139614620.054017.121350@f14g2000cwb.googlegroups.com...
> probably the single worst case scenario is that a bunch of 13 year old
> script kiddies laugh about you being pwn3d by them - and this can last
> a while, too. -lol-
>
> seriously, i think someone else answered your question, but i had to
> get that in there, b/c it does happen.
>
> can a script like this be modified to *know* that the form is being
> sent from one's own site?
>
> <?php
> $host=apache_request_headers();
> if(!eregi('domain.com',$host[Referer])){
> //[...code to download file here...]
> }else{
> //[...code to download alternate file here...]
> }
> ?>
>
> it is a comment on php.net's manual $_server discussion.
>
> iow, is...
>
> $host=apache_request_headers();
> if(!eregi('domain.com',$host[Referer])){
>
> ...spoofable or does it tell you where the page came from 100% of the
> time?
>

how does apache_request_headers differ from the information returned from
the _SERVER superglobal? at least if you're only looking at the hostname...
php documentation doesn't qualify the difference

• Next in forum: Re: PHP Passing Variables Between Pages and Security
• Prev in forum: Re: PHP Passing Variables Between Pages and Security
• Thread view: Re: PHP Passing Variables Between Pages and Security

[Reply to this message]