That's going to get the variable as a shell environment variable, which is most probably not what you want.

You CAN do something like this though:

$HTTP_REFERER = $_SERVER['HTTP_REFERER'];

Or just always access the variable directly through the special $_SERVER[] array.

Note that this way only works for php >= 4.1.0

What is the difference, and is there any difference in security? It seems to work right now... it doesn't look like it returns anything different than just using $HTTP_REFERER alone...

well someone can potentially pass their own HTTP_REFERER variable with a GET, COOKIE, or POST variable, but I don't really think it'll get overwritten.

I don't see how getenv would possibly work at all, as that's only supposed to grab shell variables. Actually, it looks like I've misunderstood the getenv() function, it gets php Environmental variables, talk about confusing.

I'd still use the $SERVER[] method over calling a separate function, since the SERVER variable is already there.

I agree using $_SERVER is a better option, but I'd rather shoot for compatibility.

If using just $HTTP_REFERER, a user CAN overwrite that variable using any type of GPC variable. However, if you use the getenv() function, it seems as though the variable cannot be overwritten.