[nycphp-talk] javascript calling php function
Guilherme Blanco
guilhermeblanco at gmail.com
Fri Feb 22 09:34:19 EST 2008
Just one point...
NEVER trust HTTP_REFERER.
You can change the HTTP_REFERER in a simple curl request.
I didn't read the thread entirely, but suggest a user to check for
referer is never a good thing.
Regards.
On Fri, Feb 22, 2008 at 11:30 AM, csnyder <chsnyder at gmail.com> wrote:
> On Fri, Feb 22, 2008 at 4:13 AM, inforequest <1j0lkq002 at sneakemail.com> wrote:
> >
> > Just a warning that if possible your tracking script should limit its
> > function to your known intended destinations else fail or whatever.
> > Don't leave it "open" or you may find your site being utilized by others
> > as a general purpose redirect proxy, often for less-than-honorable purposes.
> >
> > -=john
> >
>
> I was wondering about this, actually, but I also figured there must be
> a bajillion other open redirect scripts out there.
>
> Shouldn't it be okay to limit it to requests with a valid HTTP-REFERER
> header? In other words, the redirect only works if the user clicked a
> link on your site, not by following a link from some other site.
>
>
> --
> Chris Snyder
> http://chxo.com/
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
--
Guilherme Blanco - Web Developer
CBC - Certified Bindows Consultant
Cell Phone: +55 (16) 9166-6902
MSN: guilhermeblanco at hotmail.com
URL: http://blog.bisna.com
São Carlos - SP/Brazil
More information about the talk
mailing list