• Madoor
  • Senior Member
  • Offline
  • From: Sweden
  • Registered: 2004-05-31
  • Posts: 124

Topic: confirm_referrer();

I'm using punbb on my homepage and am also using the function "confirm_referrer();" on all my pages. This works fine for me, but some users get the "Bad HTTP REFERER" error, and that is of course not good. Is there some way to make the function work for everyone, or some other way to check if the user has been sent to the page from another homepage or not? Is it safe to run the homepage without the confirm_referrer function? I mean, can't you set up a FORM on another homepage and trick users to delete things on my homepage they didn't want to delete? Is it possible to protect a function where you delete a picture by just visiting a homepage (for example www.blabla.com/delete.php?delete=yes) and not using the confirm_referrer function?

Thanks,
Pontus

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: confirm_referrer();

Madoor wrote:

I mean, can't you set up a FORM on another homepage and trick users to delete things on my homepage they didn't want to delete?

If a user has permission to delete something and you skip the referrer check, that is exactly what can happen. I'm sure it is possible to add different layers of protection, but the referrer check is the method I chose for PunBB.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website