PHP Utils functions

I just wanted to share some useful PHP functions that I have written while
developing an application.

http://www.cybercomms.org/PHP/utils.inc

The .inc filename is just so it can be viewed, I use .php for include files
usually.

~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
<?php

function isValidPost()
{
if ( $_SERVER['REQUEST_METHOD'] == 'POST')
{
$referer = isset( $_SERVER['HTTP_REFERER']) ?
$_SERVER['HTTP_REFERER'] : "";
return (( parse_url( $referer, PHP_URL_HOST) ==
$_SERVER['HTTP_HOST']) &&
( parse_url( $referer, PHP_URL_PATH) ==
$_SERVER['PHP_SELF']));
}
else
return false;
}

function getReferer()
{
return $_SERVER["HTTP_REFERER"];
}

function getPost( $var)
{
return (isset( $_POST[ $var]) ? $_POST[ $var] : "");
}

//

function getParam( $param)
{
return (isset( $_GET[ $param]) ? $_GET[ $param] : "");
}

function getBaseDirectory()
{
return dirname( $_SERVER['SCRIPT_FILENAME']);
}

function getParamsFromURL( $url)
{
parse_str( parse_url( $url, PHP_URL_QUERY), $params);
return $params;
}

?>

"Aaron Gray" <ang.usenet@gmail.com> wrote in message
news:65hqojF2emkj8U1@mid.individual.net...
>I just wanted to share some useful PHP functions that I have written while
>developing an application.

> function getReferer()
> {
>    return $_SERVER["HTTP_REFERER"];
> }

Changed to :-

function getReferer()
{
return isset( $_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "";
}

Nothing like releasing something to find a bug or two :)

Aaron

..oO(Aaron Gray)

>I just wanted to share some useful PHP functions that I have written while
>developing an application.
>
>    http://www.cybercomms.org/PHP/utils.inc
>
>The .inc filename is just so it can be viewed, I use .php for include files
>usually.
>
>~~~~~~~~~~~~~~ utils.php ~~~~~~~~~~~~~~~~
><?php
>
>function isValidPost()
>{
>    if ( $_SERVER['REQUEST_METHOD'] == 'POST')
>    {
>        $referer = isset( $_SERVER['HTTP_REFERER']) ?
>$_SERVER['HTTP_REFERER'] : "";
>        return (( parse_url( $referer, PHP_URL_HOST) ==
>$_SERVER['HTTP_HOST']) &&
>                ( parse_url( $referer, PHP_URL_PATH) ==
>$_SERVER['PHP_SELF']));
>    }
>    else
>        return false;
>}

With this function I would never be able to post anything on your site.
The HTTP referrer is completely unreliable and should never be used for
things like above. Browsers don't have to send it and firewalls might
filter it out for security reasons.

Micha

"Michael Fesser" <netizen@gmx.de> wrote in message
 news:1ce7v35lr9hma8lnqlu7p91ecbt226eu82@
4ax.com...
> .oO(Aaron Gray)
> 
>
> With this function I would never be able to post anything on your site.

Right, for the app I am working on I donot want first or third parties
posting to the app.

> The HTTP referrer is completely unreliable and should never be used for
> things like above. Browsers don't have to send it and firewalls might
> filter it out for security reasons.

Okay, thanks, is there another method I can use to make sure it was my app
posting ?

Thanks Micha, good feedback.

Aaron

Aaron Gray wrote:
> "Michael Fesser" <netizen@gmx.de> wrote in message
>  news:1ce7v35lr9hma8lnqlu7p91ecbt226eu82@
4ax.com... 
>
> Right, for the app I am working on I donot want first or third parties
> posting to the app.
> 
>
> Okay, thanks, is there another method I can use to make sure it was my app
> posting ?
>
> Thanks Micha, good feedback.
>
> Aaron
>
>
>

Aaron,

Micha is correct.  HTTP_REFERER is completely unreliable.  Not only will
it cause many of your existing users problems, it can be very easily
faked and won't stop someone from posting via a third party app.

You could put a random string in a hidden field and in the session.
When the form is posted, compare the two numbers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:-KudnXs9eMLhfW7anZ2dnUVZ_vrinZ2d@comcast.com...
> Aaron Gray wrote: 
>
> Aaron,
>
> Micha is correct.  HTTP_REFERER is completely unreliable.  Not only will
> it cause many of your existing users problems, it can be very easily faked
> and won't stop someone from posting via a third party app.

Its HTTP teritory I see.

> You could put a random string in a hidden field and in the session. When
> the form is posted, compare the two numbers.

Okay, that would do the job nicely.

Many thanks,

Aaron