Posted on 2006-04-06
Last Modified: 2010-05-18
hi, i have set up a membership system for a website.
eveything that updates i.e. add news, update news, edit user profile etc are all verified on a single php page called updated.php
it works by the following:

$last = getenv("HTTP_REFERER");  //get last page

and then using an if statement to check the last page with the page url i.e. if the last page was addnews

if ( $last == "http://localhost/addnews.php") {
then update the database

it all works fine. although i wanted to use the $_SERVER["DOCUMENT_ROOT"] function opposed to the lanky url that i would have to change when its uploaded. currently if i set it on my hard drive (localhost)

if ($last == $_SERVER["DOCUMENT_ROOT"]."/addnews.php");

they will never equate to the same thing becoz

getenv("HTTP_REFERER") returns 'http://localhost/addnews.php'
$_SERVER["DOCUMENT_ROOT"] returns 'c:\ webroot' and therefore

will never equal the same thing.

will this work when uploaded on to a webserver or am i going around it the wrong way, or should i just leave the lanky link and change it to what ever it should be when it is uploaded?

thanks in advance.
Question by:koston
    LVL 6

    Expert Comment

    FYI, what you are doing will work, but it doesn't provide real security.  Anybody can spoof HTTP_REFERER and some browsers turn it off completely.

    However, this might be what you are looking for:

    $newsPage = 'addnews.php';
    $lastPage = $_SERVER['HTTP_REFERRER'];
    if (basename($lastPage) === $newsPage)  /* The user is good */

    Author Comment

    hey the solution worked, after the spelling corrections hehe.
    im totally new to php and so i basically just implemented everything how i would get it working.

    so if i was to alter this method, the only other ways i could see it working is, by using  $_GET['action'] on the

    and then


    would this be a more secure method or do you know an alternative WilliamFrantz?
    LVL 6

    Accepted Solution

    You have to authenticate at the top of each and every protected page.  What you have suggested is a good approach.  You could also make a standard authentication routine and require() it on every page.

    You really want to use cookies and/or session variables so users aren't forced to login over and over.

    Author Comment

    yes mate i am using sessions already, oki ill change it over to the method i suggested and award you the points

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    The Client Need Led Us to RSS I recently had an investment company ask me how they might notify their constituents about their newsworthy publications.  Probably you would think "Facebook" or "Twitter" but this is an interesting client.  Their cons…
    Consider the following scenario: You are working on a website and make something great - something that lets the server work with information submitted by your users. This could be anything, from a simple guestbook to a e-Money solution. But what…
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now