Colin Johnstone wrote:
> Gidday All,
>
> I have found this subroutine in someone else's program I need to
> modify it so it will work on my server. I wish to use it to confirm
> that only forms submiited from my Domain will be processed. Its the
> reg ex I don't understand, Can someone help me re-write it.
>
> Is it as simple as substituting $bd_domain for a variable containing
> mydomainname? Our domain is
> "http://www.schools.nsw.edu.au";. I'd prefer it if in the re-write we
> assign the domain to be verified to a variable and then put that
> variable in the regex.
>
> sub check_url {
>
> local($check_referer) = 0;
>
> if ($ENV{'HTTP_REFERER'}) {
> if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$bd_domain|i) {
> $check_referer = 1;
> }
> }
> else {$check_referer = 1;}
>
> if ($check_referer != 1) { &error('bad_referer') }
> }
>
>
>
> Any help appreciated.
Hi Colin. Yes, it is (almost) that simple. The test
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$bd_domain|i)
is ensuring that the 'Referer:' header value is 'http://' or
'https://', followed by any number of (any character except
a slash) followed by the contents of $bd_domain. You
would set this to something like 'nsw.edu.au' leaving the
'www.schools.' (or any other server) to be matched by the
([^/]*) sub-expression. All character matching is
case-insensitive because of the trailing |i.
However, there is a bug in the original code. Since the dot
character will match any single character in a regular
expression, your final code will also allow things like:
http://server.nsweedupau
The answer here is to add a \Q metacharacter, which escapes
all following character so that the are treated literally:
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)\Q$bd_domain|i)
and that should do it for you.
The only other thing is that I assume you won't be setting
$check_referer = 1 in both paths through the conditional
statement?
HTH,
Rob
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
