Using getenv('HTTP_REFERER') for "safety"

MarkB423

I have read that you shouldn't rely on the $HTTP_REFERER variable to verify that previously-validated data came from the proper page...

However, if you use the getenv() function to acquire this variable, would it be "bulletproof"? By bulletproof, I mean untangible even from non-browser attacks.

$HTTP_REFERER = getenv('HTTP_REFERER'); // get ref URL

if ( $HTTP_REFERER != 'http://www.domain.com/form.php' )
{
exit;
}

gid

That's going to get the variable as a shell environment variable, which is most probably not what you want.

You CAN do something like this though:

$HTTP_REFERER = $_SERVER['HTTP_REFERER'];

Or just always access the variable directly through the special $_SERVER[] array.

Note that this way only works for php >= 4.1.0

MarkB423

What is the difference, and is there any difference in security? It seems to work right now... it doesn't look like it returns anything different than just using $HTTP_REFERER alone...

gid

well someone can potentially pass their own HTTP_REFERER variable with a GET, COOKIE, or POST variable, but I don't really think it'll get overwritten.

I don't see how getenv would possibly work at all, as that's only supposed to grab shell variables. Actually, it looks like I've misunderstood the getenv() function, it gets php Environmental variables, talk about confusing.

I'd still use the $SERVER[] method over calling a separate function, since the SERVER variable is already there.

MarkB423

I agree using $_SERVER is a better option, but I'd rather shoot for compatibility.

If using just $HTTP_REFERER, a user CAN overwrite that variable using any type of GPC variable. However, if you use the getenv() function, it seems as though the variable cannot be overwritten.