Current time: 04-20-2014, 04:33 PM Hello There, Guest! (LoginRegister)

Post Reply 
HTTP_REFERER turned off?
12-12-2004, 02:15 PM
Post: #1
HTTP_REFERER turned off?
Maybe one of the Dreamhost gurus can help here...I had an email form I built that checked the referring page by using $_SERVER["HTTP_REFERER"]. It's not working and when I did print_r($_SERVER), I don't even see http_referer as an array element.

Did Dreamhost turn this off? I believe it was working when I originally implemented it, but I hadn't checked for a while.

If anyone has a good alternative, I'd appreciate it. I don't want spammers hacking my email!

Thanks...
Crim
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 06:31 AM
Post: #2
HTTP_REFERER turned off?
I've just joined but I think it's to do with the PHP running as CGI.

If you goto your panel, then Domains->Web->Edit Domain and uncheck the "Run PHP as CGI?" it should work. This is the link next to the Kbase beside the checkbox

https://panel.dreamhost.com/kbase/?area=2933
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 08:15 AM
Post: #3
HTTP_REFERER turned off?
I don't think that's it. I was using HTTP_Referer before and it worked (after I turned PHP-CGI on). Also, I can't turn PHP off as a CGI because I need to be able to upload images via a web interface and so far as I know the only way to do that on Dreamhost is to run PHP as a CGI.
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 08:22 AM
Post: #4
HTTP_REFERER turned off?
You can upload files using PHP. Have a look at

http://uk2.php.net/manual/en/function.is...d-file.php
and
http://uk2.php.net/manual/en/function.mo...d-file.php

They work as long as your directory is set as 777 which is dangerous but if your scripts need this $_SERVER and it works with/without the CGI running then this would be an alternative.
Sorry I can't help more, but I've lost my script that handles uploaded files Sad

EDIT: Of course, this was on my old host, which didn't have this sort of CGI thing running... DH seems pretty unique in some of the options it gives. Takes some getting used to this o.O
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 08:44 AM
Post: #5
HTTP_REFERER turned off?
In the scheme of things, I'd rather have the directory not set as 777 if it's dangerous. I'm using basic authentication to protect the upload interfaces, but I have no illusions that a hacker could probably figure out how to get past that fairly easily.

I was using HTTP_Referer to authenticate which page a user was coming from before running my email script, though after doing more research it appears http_referer isn't very secure either and can be spoofed. I was trying to prevent someone from automatically sending spam email from our email form.

I'd welcome any suggestions on making the mail form more secure.

Thanks for your help, and welcome to the team!
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 08:49 AM
Post: #6
HTTP_REFERER turned off?
A long winded way is maybe have a random string of characters and numbers inserted into a table on a database.
When a user clicks Create New/Reply, a value is put into the database and output into a hidden field on the create message screen. When they click submit, it checks to see if there is a value and if it's a valid id in the table. If not then it might be a spammer. You could get it to delete any ids that haven't been active for xxx minutes by having a timestamp field for each id.
I use a slightly different method on my site. Everyone is given a session_id and this is put in my chatbox form (since this is something people can spam a lot). If it's not a valid session id it's rejected, or if they've posted too many messages in one minute for example, it stops them.
Visit this user's website Find all posts by this user
Quote this message in a reply
12-14-2004, 09:05 AM
Post: #7
HTTP_REFERER turned off?
Check into the is_uploaded_file() thing. I'm pretty sure you have to use PHP running as a CGI on Dreamhost and CGI is the Dreamhost recommended method (it says so right by the CGI checkbox Tongue).

I may end up using sessions. I had considered it already, but I've got other development I have to tackle first. Sending ids to the database seems kludgy.

Again, thanks for the help!
Visit this user's website Find all posts by this user
Quote this message in a reply
12-21-2004, 07:49 AM
Post: #8
HTTP_REFERER turned off?
FYI - Some antivirus programs (for instance, Norton Internet Security) disable http_referer. Since these programs are increasingly prevalent, the recommended solution is to use sessions or an alternate method to check which page users are coming from.

Hopefully this will help someone else. Smile
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: