Copyright © 2005 Holotech Enterprises.
Restricting the Referer
You can control where your Phorm installation can be called from. To do this, set the
variable $PHORM_REFERER in your global configuration file. It
must be set here, and not in your form-specific config file. The contents of this variable
is a list of domains and domain/path combinations, separated and enclosed by the |
character. The checking against this list is very literal; for example, if
$HTTP_REFERER has mydomain.com and $PHORM_REFERER has www.mydomain.com, they will not match.
If you wanted to allow access with or without the www, you would need to
include both. Only exact matches are allowed through. An example:
$PHORM_REFERER = "|domain1.com|www.domain1.com|www.domain2.com/form1.html|";
This would allow anything from domain1.com or www.domain1.com,
or from form1.html on domain2.com. You should
understand that $HTTP_REFERER is set by the visitor's browser - it is
possible, for someone who knows how, to send a false value. Also, some browsers can be set
to not return any value. If you want to allow visitors with no $HTTP_REFERER,
simply add an extra | character at the end of your list:
$PHORM_REFERER = "|domain1.com|www.domain1.com|www.domain2.com/form1.html||";
Note: Since $PHORM_REFERER is defined
in the global configuration file, $HTTP_REFERER is not checked until after
the file is processed. If you are adding PHP code to your global config file, make sure it
isn't anything that would constitute a security hole if Phorm is being called from an
unauthorized location.
0101000001101000011011110111001001101101010010010111001101000011011011110110111101101100