...

View Full Version : UA $_SERVER info



MattF
11-10-2010, 09:52 PM
Not directly PHP related, but, will HTTP_ACCEPT_ENCODING and HTTP_ACCEPT_LANGUAGE generally always be set by legitimate UA's, or are there occasions where their absence is normal?

Fou-Lu
11-11-2010, 05:50 PM
Not necessarily; I would expect that most browsers do provide these, but I wouldn't really expect it from something external like a webservice or curl. As with any client retrieved information, you cannot trust for 100% certainty that it will be provided to you. These are a couple that I can't see a reason for a typical user overriding, but they are provided for use as "features" and not for requirements.

I assume you are going for a default locale selection? I've done something similar in the past, so the only real advice I can give you is the normal PHP advice: make sure you have a default to use if the user doesn't provide you with anything, and treat that data as dirty since it is provided by the user. Match it up against something you expect, otherwise use a default. Next to that, let your client override any defaults you've specified (if you are going for a locale auto-detection, let them choose to override it in case they don't actually know german for example).

MattF
11-11-2010, 06:36 PM
Not doing owt as fancy as locale selection or such. It's more the lack of them in context that I've been noticing. Set up a little logging script recently on an unused test forum I have online, to log certain HTTP vars from registrants due to it becoming a bit of a spammer magnet. Posting and such are disabled so they can't do bugger all once they register, but they don't seem deterred by trifles such as that. :D Rather than taking it down I thought it would be a prime opportunity to try and analyse any possible patterns. Those two vars above are notable so far due to their absence in 95% of cases, hence wondering what the chances of a legitimate user not supplying them are. I've not done any monitoring of legitimate connections for the vars, (and would prefer not to if possible), hence I personally have no yardstick to measure against.

Fou-Lu
11-12-2010, 12:31 AM
Not doing owt as fancy as locale selection or such. It's more the lack of them in context that I've been noticing. Set up a little logging script recently on an unused test forum I have online, to log certain HTTP vars from registrants due to it becoming a bit of a spammer magnet. Posting and such are disabled so they can't do bugger all once they register, but they don't seem deterred by trifles such as that. :D Rather than taking it down I thought it would be a prime opportunity to try and analyse any possible patterns. Those two vars above are notable so far due to their absence in 95% of cases, hence wondering what the chances of a legitimate user not supplying them are. I've not done any monitoring of legitimate connections for the vars, (and would prefer not to if possible), hence I personally have no yardstick to measure against.

Oh I gotcha. Maybe just search engine indexing services? I wouldn't expect the spiders to provide the encoding or language either, but you never know.

MattF
11-13-2010, 05:20 PM
Sounds good. They should hopefully be a non-concern with any possible future checks only happening on POST requests and the like.

Must say, the bot? behaviour seems quite predictably bad upto just, (from a standards, accepted behaviour, viewpoint). Only thing I have found surprising is their lack of filling all fields present in a form. Specifically put a hidden input field in there, (enclosed within comment tags), and that hasn't been touched upto just, so it's either human input or the bots seem to either have some recognitive parsing abilities else they're working from a predefined list of inputs for the forum software in question. Not figured out which it is yet though.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum