Developer Support »

Referer check  (See more user questions)

Hi

Good to hear from the corporate world...fairly rare in this game! Most
customers are freelance web designers or solo website operators.

Turn it off. No security issues. Only issue is spam, which the other parts
of the script can deal with.

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Wednesday, October 21, 2009 2:06 PM
Subject: RE: referrer check


Hi Charles,

Well...this time is the infrastructure guys...they changed the server
settings and didn't realize it caused the forms to stop working...then they
are telling me it's a code issue...welcome to the corporate world...
Anyways...the port number is only present in thr HOST and not in REFERRER
part. That is why the mess happened.
So....basically turning check referrer off will do the trick but is it
advisable from a security standpoint?
Sorry to be your PITA client.

Cheers!

-----Original Message-----
Sent: Tuesday, October 20, 2009 5:22 PM
Subject: Re: referrer check

Hi

Good to hear from you, hope you're well, hope the security guys aren't
bugging you too much!

Have you tried that code? Does it work? Without testing it...is the first
part of $_SERVER['HTTP_HOST the port number? If it is, the port number
would also need to be in $_SERVER['HTTP_REFERER']...is it?

Should be fine. At the very worst, a message would be submitted to your
script that didn't originate from your site. Referrer (referer) headers can
easily be forged, so the referrer check isn't a huge tool against spammers,
it's just one of several that combine to combat some spam. It's therefore
easy to pretend the message came from your site.

It's not a problem though. The script is written with this in mind, i.e
that a spammer or other attacker can get a message through to the script.
It is for processing publicly available forms after all, it's meant to
receive submissions. Therefore, ANY input is checked regardless of where it
came from, or claimed to come from, and the other features in the script
would block anything malicious.

Bear in mind, as far as spam is concerned, you can't really stop it. The
whole point of a contact form is to contact you, so they will!! The
security side of things is very simple. There is nothing that can be
submitted to the script that will compromise the server it is on (there was
that business of running <script> code on the form page, but that would only
affect the attackers computer, so virtually a pointless exercise).

Any questions, just let me know.

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Tuesday, October 20, 2009 8:29 PM
Subject: referrer check


Hi Charles,

Ok...they figured out what the issue with the referrer was...they
changed something at server level that has the host output the port
number which conflicts with the referrer name.....
Fine and dandy, but now they want me to change the referrer check on the
script to:
// Check referrer.



if($check_referrer)

{

$HTTP_HOST=explode(":", $_SERVER['HTTP_HOST']);

if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])
&& stristr($_SERVER['HTTP_REFERER'],$HTTP_HOST[0]))){$errors[] = "You
must enable referrer logging to use the form";}



}

My question to you is...is this secure?? I don't want to add stuff to
the script that is not secure otherwise we will be in big doo-doo with
the security guys....

Thank you,