Hi,

Has anyone ever had this problem? I have a formmail script that uses the $HTTP_REFERER variable to check that the page where the user filled out the form is of the allowed referers. If it is not, then it gives an error message saying that they were coming from an unauthorized domain (I did not write this script, it was inherited, but I think it is a general formmail script anyways).

Well there is 1 group of people (my clients, actually) who, when they fill out the form and submit it, it gives them the error message. So, I had it email me the environment variables so I could see what 'unauthorized domain' they were coming from - I used $_SERVER["HTTP_REFERER"], $HTTP_REFERER, and get_env("HTTP_REFERER").

When I fill out the form it emails me my environment variables fine - but when THEY do it, it sends an empty string for everything except ip address and browser. It gives empty string for referer.

They are using Windows IE, but if I test it on a Windows machine using IE, I do NOT get the error!

It is sooo hard to fix because I can not reproduce the error for the life of me. It is only on their end.

Has anyone ever had this problem before? And if so, how did you fix it?

Thank so much,
Heather

from the manual:
http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server

'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Hey,

Thanks so much! I believe I saw that before too, but I think I just bypassed it because I didn't understand what it was saying :\ By user agent, does it mean the web browser?

Do you, personally, have any type of checking in the formmail script that you use, for the referer? Or do you not think this is an important thing to check (security-wise)?

Thanks soo much, I really appreciate it!

Heather

if the script is available for public consumption, always check the referrer. Otherwise you may quickly find your server sending all sorts of things you dont want. Depending on the formmailer.

But that doesn't make sense! How am I supposed to check the referer if it doesn't always work?
When I do that, then the ones that DON'T have referer, they can not send the form!
Are you saying to check it like if (referer != empty string) then { check referer } ? So only check it if it exists?
Because that is not 100% accurate of course.
Is that what you do?
And by user agent does it mean the web browser?

Thanks.

the user agent is information that the browser sends to the script. and you are right, you shouldnt ever trust it. it is far too easy to change. I was actually thinking of something else I have put into place for form mailers, but that was different. sorry for the confusion there...

I guess the real question is what are you using this for? The danger with public email scripts is that if not done just so, they can give malicious users the ability to use your server to send whatever they want. This is a very bad thing...

Hey,

Thanks for the reply. I'm just using the script for a simple contact form on a website.

What do you, personally, do to check? You must not use referer because it is not dependable. What do you use?

Thanks!
Heather

none of the info you get from the client can be trusted. all of it can be easily altered. if you just properly validate your input, you should be fine. If you are using something like Matts Form Mailer, you shouldn't...but if its just some plain old PHP, and you are validating input, there shouldnt be an issue. Sorry to be so confusing earlier...I need more caffiene...

Hey,
Well I don't validate EVERYTHING, like first name, last name, etc. Is that what you are talking about?