is $_SERVER[‘HTTP_REFERER’] safe?

by

Not like that.

It might not be present. (It might be wrong, some personal firewall packages obfuscate the referer for privacy reasons, violating the HTTP spec along the way)

You should run anything coming from outside your system through htmlspecialchars to guard against XSS attacks (although, IIRC, the referer should never have any dangerous characters in it as they should be URL safe you should keep in the habit of always being cautious).

Browsers come with back buttons though, there is no need to try to duplicate their functionality (especially when, with this, if the user clicks a link marked “back” it doesn’t take them back in their history, so clicking the normal back button will conceptually take them forwards).

More Related Contents:

  1. xss attack on a php page
  2. How can I sanitize user input with PHP?
  3. How can I store my users’ passwords safely?
  4. How do you Encrypt and Decrypt a PHP String?
  5. How to create a secure mysql prepared statement in php?
  6. Simplest two-way encryption using PHP
  7. Two-way encryption: I need to store passwords that can be retrieved
  8. Preventing Directory Traversal in PHP but allowing paths
  9. Secure random number generation in PHP
  10. SQL injections in ADOdb and general website security
  11. PHP MySQLI Prevent SQL Injection [duplicate]
  12. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  13. Best way to defend against mysql injection and cross site scripting
  14. In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?
  15. Login without HTTPS, how to secure?
  16. Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?
  17. Which $_SERVER variables are safe?
  18. How to get rid of eval-base64_decode like PHP virus files?
  19. encrypt and decrypt md5
  20. How to sanitze user input in PHP before mailing?
  21. best practice to generate random token for forgot password
  22. How to enable DDoS protection?
  23. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  24. Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
  25. How can I determine a file’s true extension/type programmatically?
  26. How to protect my source code when deployed?
  27. Can I serve MP3 files with PHP?
  28. Check if http request comes from my android app
  29. Improve password hashing with a random salt
  30. Why is it considered bad practice to use “global” reference inside functions? [duplicate]

Leave a Comment