php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #9767 Can set environment variables in the query string.
Submitted: 2001-03-15 10:09 UTC Modified: 2004-06-24 17:12 UTC
From: toastyghost_ at hotmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: Red Hat
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: toastyghost_ at hotmail dot com
New email:
PHP Version: OS:

 

 [2001-03-15 10:09 UTC] toastyghost_ at hotmail dot com
/* this is a security measure that only permits the display of the page if the referer is within the same domain as the page... if you run it with HTTP_REFERER=HTTP_HOST or a string of the host url in the query string or post a form input object called HTTP_REFERER with value of host url, it produces the same effect as if you had clicked on a link from within the site */

<?
  $referer = parse_url($HTTP_REFERER);

  if($referer[host]!='mydomain.com') die ('invalid host');
  else{echo '<html>this is my page!!</html>';
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-15 10:49 UTC] cynic@php.net
this is configurable from php.ini, and described in there:

variables_order = "EGPCS"
; This directive describes the order in which PHP registers
; GET, POST, Cookie, Environment and Built-in variables (G, P,
; C, E & S respectively, often referred to as EGPCS or GPC).
; Registration is done from left to right, newer values override
; older values.

Also, consider turning register_globals off.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 06:01:29 2024 UTC