Only allow _POST's from your domain
Snippet Menu
5
Sun. May. 20th, 2007 10:58 PM
This small snippet will not allow _POST requests from a 'foreign' domain. It relies on the HTTP_REFERER variable.
<?php
/**
* Change 'yourdomain.com' to your domain name, no www.
* It's best to put this code in a global file (file that is included on all pages)
* before any other code.
*/
if (count($_POST) > 0)
{
if ($_SERVER['HTTP_REFERER'])
{
$referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
$ref_port = intval($referrer_parts['port']);
$ref_host = $referrer_parts['host'] . (!empty($ref_port) ? ":$ref_port" : '');
if (strpos($ref_host, 'yourdomain.com') === false)
{
die();
}
}
}
?>
/**
* Change 'yourdomain.com' to your domain name, no www.
* It's best to put this code in a global file (file that is included on all pages)
* before any other code.
*/
if (count($_POST) > 0)
{
if ($_SERVER['HTTP_REFERER'])
{
$referrer_parts = @parse_url($_SERVER['HTTP_REFERER']);
$ref_port = intval($referrer_parts['port']);
$ref_host = $referrer_parts['host'] . (!empty($ref_port) ? ":$ref_port" : '');
if (strpos($ref_host, 'yourdomain.com') === false)
{
die();
}
}
}
?>
Comments
Voting
Votes Up
Votes Down
I've got good news, and I've got bad news:
The universe is merely a figment of my imagination.
Now are you ready for the bad news?
will this work even the POST was sent using Curl - where it's also possible to set the referrer?
[ akosiloibe ]