Is this method good/secure enough for showing errors to users? - PHP

Question

I'm developing a website, and due to user-input or by other reason, I need to show some error messages. For this, I have a page named error.php, and I get the error number using $_GET. All error messages are stored in a array.

Example:

header( 'Location: error.php?n=11' ); 

But I don't want the users to the enter the error code in the URL and see all the other error messages. For preventing that, I thought I could whitelist the referer page, and only show the error message if the referer is found in my whitelist.

It should be fair similar to this (haven't tested yet ;) )

$accept = false;
$allowedReferer = array (0=>'page1.php', 'page2.php');
if (in_array($_SERVER['HTTP_REFERER'], $allowedReferer )) {$accept = true;}
if ($accept) { $n=$_GET['n'];echo "Error: " . $errorList[$n];}

Is this method good enough to avoid the spy-users?

I'm doing this with PHP5

Thanks

Answer 1

No, it isn't remotely secure: the HTTP Referer header is trivial to spoof, and is not a required header either. I suggest you read this article for an example of exploiting code (written in PHP), or download this add-on for Firefox to do it yourself from the comfort of your own browser.

In addition, your $allowedReferer array should contain full URL's, not just the script name, otherwise the code will also be exploitable from remote referrals, e.g. from

http://www.example.org/page1.php

To summarise: you cannot restrict access to any public network resource without requiring authentication.