Yes thats true thats why I set $check_referer to true if there is no
$ENV{'HTTP_REFERER'}
>
> From: "Fred Sahakian" <[EMAIL PROTECTED]>
> Subject: Re: Check url for form submission
> Date: 12/03/2003 11:34:40
> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>
> I may be wrong, but some browser have problems giving referers properly causing your
> visitor not to be able use your CGI.
>
>
>
> >>> "Rob Dixon" <[EMAIL PROTECTED]> 03/10/03 06:52AM >>>
> Colin Johnstone wrote:
> > Gidday All,
> >
> > I have found this subroutine in someone else's program I need to
> > modify it so it will work on my server. I wish to use it to confirm
> > that only forms submiited from my Domain will be processed. Its the
> > reg ex I don't understand, Can someone help me re-write it.
> >
> > Is it as simple as substituting $bd_domain for a variable containing
> > mydomainname? Our domain is
> > "http://www.schools.nsw.edu.au";. I'd prefer it if in the re-write we
> > assign the domain to be verified to a variable and then put that
> > variable in the regex.
> >
> > sub check_url {
> >
> > local($check_referer) = 0;
> >
> > if ($ENV{'HTTP_REFERER'}) {
> > if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$bd_domain|i) {
> > $check_referer = 1;
> > }
> > }
> > else {$check_referer = 1;}
> >
> > if ($check_referer != 1) { &error('bad_referer') }
> > }
> >
> >
> >
> > Any help appreciated.
>
> Hi Colin. Yes, it is (almost) that simple. The test
>
> if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$bd_domain|i)
>
> is ensuring that the 'Referer:' header value is 'http://' or
> 'https://', followed by any number of (any character except
> a slash) followed by the contents of $bd_domain. You
> would set this to something like 'nsw.edu.au' leaving the
> 'www.schools.' (or any other server) to be matched by the
> ([^/]*) sub-expression. All character matching is
> case-insensitive because of the trailing |i.
>
> However, there is a bug in the original code. Since the dot
> character will match any single character in a regular
> expression, your final code will also allow things like:
>
> http://server.nsweedupau
>
> The answer here is to add a \Q metacharacter, which escapes
> all following character so that the are treated literally:
>
> if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)\Q$bd_domain|i)
>
> and that should do it for you.
>
> The only other thing is that I assume you won't be setting
> $check_referer = 1 in both paths through the conditional
> statement?
>
> HTH,
>
> Rob
>
>
>
>
>
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
This message was sent through MyMail http://www.mymail.com.au
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
