SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Evangelist
    Join Date
    Oct 2000
    Posts
    430
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I'm encountering a problem with the 'verify referrer' in Jack's Formail.php, and I can't see why on earth this is not working.

    From the instruction: By placing lumbroso.com in the referers array, this also allows http://www.lumbroso.com, ftp.lumbroso.com, lumbroso.com/dir/file/, any other http address with lumbroso.com in it and lumbroso.com's IP (216.64.145.194) address to access this script as well, so no users will be turned away.

    Syntax: $referers = ('lumbroso.com','216.64.145.194');

    Well when I add my domain as instructed, it always comes up I'm "sending from an unauthorised domain". I'm sure the script can't be bugged as its so widely used. Therefore does anyone know whats causing this to happen. I need this security so I would like to sort it out.

    Here's the relevant code:


    // referers.. domains/ips that you will allow forms to
    // reside on.
    $referers = array ('chillisauce.co.uk');

    // function to check the referer for security reasons.
    // contributed by some one who's name got lost.. Thanks
    // goes out to him any way.
    function check_referer($referers){
    if (count($referers)){
    $found = false;
    $temp = explode("/",getenv("HTTP_REFERER"));
    $referer = $temp[2];
    for ($x=0; $x < count($referers); $x++){
    if ($referers[$x] == $referer){
    $found = true;
    }
    }
    if (!$found){
    print_error("You are coming from an <b>unauthorized domain.</b>");
    error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
    }
    return $found;
    } else {
    return true; //Not a good idea, if empty, it will allow it.
    }
    }
    if ($referers)
    check_referer($referers);


    Thanks in advance!


  2. #2
    SitePoint Evangelist
    Join Date
    Jul 2000
    Location
    Warwickshire, England
    Posts
    557
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is the key part, it takes the 3rd part of the referer..
    i.e. in http://www.peter.com, it would take www.peter.com. So, you must use "www.chillisauce.co.uk"
    if ($referers[$x] == $referer){
    $found = true;
    }
    }

    To modify it so it is a little less secure, but accepts just domains, you could use..

    if (stristr ($referers[$x], $referer)){
    $found = true;
    }
    }

    but as I say.. this would mean a referer of 'sauce.co.uk' would be able to use the script.


  3. #3
    SitePoint Evangelist
    Join Date
    Oct 2000
    Posts
    430
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the help with that!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •