Fake Referrer

Here is an example of how easy it is to fake the $_SERVER['HTTP_REFERER'] and $_SERVER['HTTP_USER_AGENT'] in PHP. This is a clear example of why you should NOT use these two variables as your only means of validation.

[php]
<?php

// THIS CREATES A FAKE USER AGENT
ini_set('user_agent','My Fake Browser');

// THIS CREATES A FAKE REFERRER

$host = "www.syntax******.info";
$referrer = "www.fake_referrer.com";
$file = "test.php";



$hdrs = array( 'http' => array(

'header' => "accept-language: en\r\n" .

"Host: $host\r\n" .

"Referer: http://$referrer\r\n" .

"Content-Type: text/plain\r\n"

)

);


$context = stream_context_create($hdrs);
$fp = fopen("http://" . $host . "/" . $file, 'r', false, $context);

fpassthru($fp);
fclose($fp);

?>
[/php]