function xoops_refcheck($docheck=1)
{
[color=ff0000]return true;#*#DISABLE_REFERER_CHECK#[/color]
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}
Author
Thread
Replies
Author
Published
Author
Thread
Replies
Author
Published
Author
Thread
|
this FAQ is too dangerous, isn't this?
Well, I'm not a professional. But, as far as I know, it is very risky to disable "referrer-check" because turning off the check makes the web sites more vulnerable to CSRF attacks.
function xoops_refcheck($docheck=1)
{
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
[d]return false;[/d]//the very original
[b][color=ff0000]return [u]true[/u];[/color][/b]//hacked code
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}
Instead, the code above is rather safer than the one on FAQ. Bear in mind, ALL the webmaster MUST turn on "referrer" so as to protect your site.
Last but not least, all the thanks goes to GIJOE since this hack is originally introduced by him.
EDITED:
Well...the original code returns "FALSE" when referrer information is empty. On the other hand, the hacked code returns "TRUE". As a result, it disables referrer-check for those who doesn't send referrer.
So this hack in introduced for the convenience of USERS who don't know what referrer is and what their firewall does.