|
|
Posted by Michael Fesser on 06/16/07 18:35
..oO(Roman)
>Jerry Stuckle wrote:
>>
>> You can't do it at all. HTTP_REFERER can be faked or may not be sent,
>> for instance.
>
>How important is it for anyone to go into trouble to fake it? If OP is
>trying to protect a million bucks, hackers will go to great extent to
>fake it. If he is simply showing or not showing his email address,
>spammers are not going to bother hacking his site to get one more ;)
That's not the point. Many recent browser allow to disable the referrer
sending for privacy, firewalls might filter it out for security. Often
the referrer is not faked - it's simply not there at all.
Relying on it without taking into account an empty referrer is a rather
bad idea. I've seen many websites, who were just naked HTML in the
browser. No CSS, no images. Why? Because the authors used a broken
hotlink-prevention-thingy, based on referrer checking. But all it did
was to prevent me from using their website, so I went away.
Micha
[Back to original message]
|