php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #9767 Can set environment variables in the query string.
Submitted: 2001-03-15 10:09 UTC Modified: 2004-06-24 17:12 UTC
From: toastyghost_ at hotmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: Red Hat
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: toastyghost_ at hotmail dot com
New email:
PHP Version: OS:

 

 [2001-03-15 10:09 UTC] toastyghost_ at hotmail dot com 
/* this is a security measure that only permits the display of the page if the referer is within the same domain as the page... if you run it with HTTP_REFERER=HTTP_HOST or a string of the host url in the query string or post a form input object called HTTP_REFERER with value of host url, it produces the same effect as if you had clicked on a link from within the site */

<?
  $referer = parse_url($HTTP_REFERER);

  if($referer[host]!='mydomain.com') die ('invalid host');
  else{echo '<html>this is my page!!</html>';
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-15 10:49 UTC] cynic@php.net 
this is configurable from php.ini, and described in there:

variables_order = "EGPCS"
; This directive describes the order in which PHP registers
; GET, POST, Cookie, Environment and Built-in variables (G, P,
; C, E & S respectively, often referred to as EGPCS or GPC).
; Registration is done from left to right, newer values override
; older values.

Also, consider turning register_globals off.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 08:00:02 2025 UTC