HTTP_REFERER check fails on remote server

Question

Meonia 0 Newbie Poster

13 Years Ago

Hi,
I'm doing a check against HTTP_REFERER after a simple form is submitted, just as an additional security measure. What's happening is that the check always fails when the script is running on the remote server, but works as intended if I test it on my localhost server.

Here's the simplified code:

if (isset($_POST['submit'])) {
	$referer = getenv("HTTP_REFERER");
	if (strtolower(substr($referer,0,17)) != "http://foobar.com") 
		die("Invalid Referer");

	// else do form processing
}

This always gives "Invalid Referer" even when the substr match is exact - I've echoed the referer to make sure it's what I was expecting, and I've double checked the length for the real referer url used.

If I just change the substring tested to "http://localhost/" and run the script on my localhost server it works properly and this gets past the check:

I can't work out why this isn't working on the remote server - any ideas?

Thanks.

php

3 Contributors
3 Replies
226 Views
7 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by Meonia

sv3tli0 0 Junior Poster in Training

13 Years Ago

try to echo the $referer string before the last check .. See what it will show you

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

eXpertPHP 0 Newbie Poster · Answer 1 · 2011-08-30T01:40:55+00:00

The explanation of $_SERVER from http://php.net/manual/en/reserved.variables.server.php

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

To check if is set, just use:

<?php echo isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'Referer is not set'; ?>

Note: the user may have the abilities to disable/modify referer value from browser/navigator/agent, because referer value is optional, and not a standard/required value.

Meonia 0 Newbie Poster · Answer 2 · 2011-08-30T02:22:21+00:00

Thanks guys. I feel like a complete plank now and found out what was wrong ... you know what it's like when you get so caught up in something you don't spot the obvious!! Because of how I'd been testing things, I realised I wasn't using the www prefix, but was testing as if I was DOH!

I put it down to overwork and lack of sleep!!