[CLUE-Tech] Apace/PHP Brain-Cramp on HTTP_REFERER?

Tue Apr 9 17:13:16 MDT 2002

Yes, PHP and Apache are playing nice together ---- at least it is doing so 
on my installation of PHP 4.1.2 (I just checked it).

I was able to get the variable $HTTP_REFERER to come up using PHP 4.1.2 
only when it was set. For instance, if I go to "test.php" directly, it 
doesn't set $HTTP_REFERER (I turned register_globals On) in any of the 
places you'd think you'd find it. I was able to get it to come up, as 
expected, by writing a little HTML page that contained an href link to 
"test.php". Once I clicked on the link and viewed the list of places that 
HTTP_REFERER is available, the information was in every single expected place.

I don't have an older installation of PHP (pre 4.1.x) to compare the 
behavior against but perhaps there is a difference.

HTH.

---Garey

Here's the source to my "test.php" page:

<?
// Display all the places that HTTP_REFERER is
// available with regsiter_globals On in 4.1.2

echo $HTTP_REFERER;
echo "<br><br>";

echo $GLOBALS['HTTP_REFERER'];
echo "<br><br>";

echo $_SERVER['HTTP_REFERER'];
echo "<br><br>";

foreach($_SERVER as $key => $value) {
  echo "$key => $value<br>";
}

echo "<br><br>";
foreach($GLOBALS as $key => $value) {
  echo "$key => $value<br>";
}

echo "<br><br>";
foreach($GLOBALS['HTTP_SERVER_VARS'] as $key => $value) {
  echo "$key => $value<br>";
}
?>

At 15:49 4/9/2002 -0600, Jed S. Baer wrote:
>On Tue, 09 Apr 2002 14:58:33 -0600
>Garey Hoffman <ghoffman at sumaato.com> wrote:
>
> > Jed,
> >
> > Are you using the latest version of PHP? If so, then the following bit
> > of information could help you out:
> >
> > PHP has recently gone through quite a bit of changes regarding how
> > certain variables are made available. The bottom line is the development
> > team felt it was necessary from a security standpoint (and I personally
> > think they made a wise decision). Beginning with PHP version 4.1.2, the
> > default behavior of the PHP installation is to use a new syntax for
> > calling standard CGI variables and other user-submitted variables. This
> > behavior was introduced in PHP version 4.1.0 but the default behavior
> > was the style that you were used to using up until this latest release.
> >
> > You can 'turn off' this new behavior and use the old style syntax by
> > reading up here:
> >
> > http://www.php.net/manual/en/security.registerglobals.php
> >
> >
> > You can find out more fromthe FAQ here:
> >
> > http://www.php.net/manual/en/faq.using.php#faq.using.cgi-vars
> >
> > Content from above URL pasted here:
> >
> > -----
> > 12. I'm trying to access one of the standard CGI variables (such as
> > $DOCUMENT_ROOT or $HTTP_REFERER) in a user-defined function, and it
> > can't seem to find it. What's wrong?
> > Environment variables are normal global variables, so you must either
> > declare them as global variables in your function (by using "global
> > $DOCUMENT_ROOT;", for example) or by using the global variable array
> > (ie, "$GLOBALS["DOCUMENT_ROOT"]".
>
>Yes, I read all that stuff.  The example of "global $DOCUMENT_ROOT" would
>apply to $HTTP_REFERER as well, no? My understanding of what I read was
>that if register_globals is on, then these "named" copies of the server
>variables are "global" (in PHP parlance, which is a bad parlance, if you
>ask me).
>
>Further testing, in fact, shows that $HTTP_REFERER is not set even at the
>"file level" scope. And, as I mentioned earlier, using <? phpinfo() ?>
>doesn't reveal it even as an array item. So, clearly, Apache isn't setting
>it, or PHP isn't passing it along. I rather doubt that Apache isn't
>setting it, as it looks to me like that would break lots of mod_env and
>mod_rewrite code (err, wouldn't it?).
>
>BTW, I found the problem with HTTP_POST_VARS - won't go into that one. ;-)
>
>jed
>--
>Fight the CBDTPA: http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html
>
>"Those who expect to reap the blessings of freedom must, like men,
>  undergo the fatigue of supporting it." - Thomas Paine
>_______________________________________________
>CLUE-Tech mailing list
>CLUE-Tech at clue.denver.co.us
>http://clue.denver.co.us/mailman/listinfo/clue-tech