HTTP_REFERER turned off?

software development


Maybe one of the Dreamhost gurus can help here…I had an email form I built that checked the referring page by using $_SERVER[“HTTP_REFERER”]. It’s not working and when I did print_r($_SERVER), I don’t even see http_referer as an array element.

Did Dreamhost turn this off? I believe it was working when I originally implemented it, but I hadn’t checked for a while.

If anyone has a good alternative, I’d appreciate it. I don’t want spammers hacking my email!



I’ve just joined but I think it’s to do with the PHP running as CGI.

If you goto your panel, then Domains->Web->Edit Domain and uncheck the “Run PHP as CGI?” it should work. This is the link next to the Kbase beside the checkbox


I don’t think that’s it. I was using HTTP_Referer before and it worked (after I turned PHP-CGI on). Also, I can’t turn PHP off as a CGI because I need to be able to upload images via a web interface and so far as I know the only way to do that on Dreamhost is to run PHP as a CGI.


You can upload files using PHP. Have a look at

They work as long as your directory is set as 777 which is dangerous but if your scripts need this $_SERVER and it works with/without the CGI running then this would be an alternative.
Sorry I can’t help more, but I’ve lost my script that handles uploaded files :frowning:

EDIT: Of course, this was on my old host, which didn’t have this sort of CGI thing running… DH seems pretty unique in some of the options it gives. Takes some getting used to this o.O


In the scheme of things, I’d rather have the directory not set as 777 if it’s dangerous. I’m using basic authentication to protect the upload interfaces, but I have no illusions that a hacker could probably figure out how to get past that fairly easily.

I was using HTTP_Referer to authenticate which page a user was coming from before running my email script, though after doing more research it appears http_referer isn’t very secure either and can be spoofed. I was trying to prevent someone from automatically sending spam email from our email form.

I’d welcome any suggestions on making the mail form more secure.

Thanks for your help, and welcome to the team!


A long winded way is maybe have a random string of characters and numbers inserted into a table on a database.
When a user clicks Create New/Reply, a value is put into the database and output into a hidden field on the create message screen. When they click submit, it checks to see if there is a value and if it’s a valid id in the table. If not then it might be a spammer. You could get it to delete any ids that haven’t been active for xxx minutes by having a timestamp field for each id.
I use a slightly different method on my site. Everyone is given a session_id and this is put in my chatbox form (since this is something people can spam a lot). If it’s not a valid session id it’s rejected, or if they’ve posted too many messages in one minute for example, it stops them.


Check into the is_uploaded_file() thing. I’m pretty sure you have to use PHP running as a CGI on Dreamhost and CGI is the Dreamhost recommended method (it says so right by the CGI checkbox :P).

I may end up using sessions. I had considered it already, but I’ve got other development I have to tackle first. Sending ids to the database seems kludgy.

Again, thanks for the help!


FYI - Some antivirus programs (for instance, Norton Internet Security) disable http_referer. Since these programs are increasingly prevalent, the recommended solution is to use sessions or an alternate method to check which page users are coming from.

Hopefully this will help someone else. :slight_smile: