Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts

    UA $_SERVER info

    Not directly PHP related, but, will HTTP_ACCEPT_ENCODING and HTTP_ACCEPT_LANGUAGE generally always be set by legitimate UA's, or are there occasions where their absence is normal?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Not necessarily; I would expect that most browsers do provide these, but I wouldn't really expect it from something external like a webservice or curl. As with any client retrieved information, you cannot trust for 100% certainty that it will be provided to you. These are a couple that I can't see a reason for a typical user overriding, but they are provided for use as "features" and not for requirements.

    I assume you are going for a default locale selection? I've done something similar in the past, so the only real advice I can give you is the normal PHP advice: make sure you have a default to use if the user doesn't provide you with anything, and treat that data as dirty since it is provided by the user. Match it up against something you expect, otherwise use a default. Next to that, let your client override any defaults you've specified (if you are going for a locale auto-detection, let them choose to override it in case they don't actually know german for example).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #3
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Not doing owt as fancy as locale selection or such. It's more the lack of them in context that I've been noticing. Set up a little logging script recently on an unused test forum I have online, to log certain HTTP vars from registrants due to it becoming a bit of a spammer magnet. Posting and such are disabled so they can't do bugger all once they register, but they don't seem deterred by trifles such as that. Rather than taking it down I thought it would be a prime opportunity to try and analyse any possible patterns. Those two vars above are notable so far due to their absence in 95% of cases, hence wondering what the chances of a legitimate user not supplying them are. I've not done any monitoring of legitimate connections for the vars, (and would prefer not to if possible), hence I personally have no yardstick to measure against.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by MattF View Post
    Not doing owt as fancy as locale selection or such. It's more the lack of them in context that I've been noticing. Set up a little logging script recently on an unused test forum I have online, to log certain HTTP vars from registrants due to it becoming a bit of a spammer magnet. Posting and such are disabled so they can't do bugger all once they register, but they don't seem deterred by trifles such as that. Rather than taking it down I thought it would be a prime opportunity to try and analyse any possible patterns. Those two vars above are notable so far due to their absence in 95% of cases, hence wondering what the chances of a legitimate user not supplying them are. I've not done any monitoring of legitimate connections for the vars, (and would prefer not to if possible), hence I personally have no yardstick to measure against.
    Oh I gotcha. Maybe just search engine indexing services? I wouldn't expect the spiders to provide the encoding or language either, but you never know.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #5
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Sounds good. They should hopefully be a non-concern with any possible future checks only happening on POST requests and the like.

    Must say, the bot? behaviour seems quite predictably bad upto just, (from a standards, accepted behaviour, viewpoint). Only thing I have found surprising is their lack of filling all fields present in a form. Specifically put a hidden input field in there, (enclosed within comment tags), and that hasn't been touched upto just, so it's either human input or the bots seem to either have some recognitive parsing abilities else they're working from a predefined list of inputs for the forum software in question. Not figured out which it is yet though.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •