Hi,
I'm doing a check against HTTP_REFERER after a simple form is submitted, just as an additional security measure. What's happening is that the check always fails when the script is running on the remote server, but works as intended if I test it on my localhost server.
Here's the simplified code:
if (isset($_POST['submit'])) {
$referer = getenv("HTTP_REFERER");
if (strtolower(substr($referer,0,17)) != "http://foobar.com")
die("Invalid Referer");
// else do form processing
}
This always gives "Invalid Referer" even when the substr match is exact - I've echoed the referer to make sure it's what I was expecting, and I've double checked the length for the real referer url used.
If I just change the substring tested to "http://localhost/" and run the script on my localhost server it works properly and this gets past the check:
I can't work out why this isn't working on the remote server - any ideas?
Thanks.