I am trying to (somehow) secure an Ajax - PHP connection. using the $_SERVER['HTTP_REFERER'] I need to validate the HTTP_REFERER for two pages as products.php (all products) and product.php (single product). Can I use PHP in_array() to handle this, something like:
$referers = array("https://example.com/products.php", "https://example.com/product.php");
if (#isset($_SERVER['HTTP_REFERER']) && in_array($_SERVER['HTTP_REFERER'], $referers))
{
}
If so, how can I handle the dynamic URL parameters with https://example.com/product.php ? for example if I have https://example.com/product.php?sku=96 or https://example.com/product.php?sku=300 this is not gonna work with in_array() as it is different than what are listed in the $referers even though the source are correct.
$_SERVER['HTTP_REFERER'] is not guaranteed to be set and not guaranteed to be the original referer. You might use a session variable:
//products.php and product.php
session_start();
$_SESSION['ref'] = basename(__FILE__);
//other.php
session_start();
$referers = array("products.php", "product.php");
if (isset($_SESSION['ref']) && in_array($_SESSION['ref'], $referers))
{
}
Keep in mind that if you hit the products.php and then another.php and then other.php that $_SESSION['ref'] will still be products.php, so you either want to set it in all files or unset() it in other files.
<?php
$trustedReferers = array("https://example.com/products.php", "https://example.com/product.php");
$referer = '';
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']) {
$infos = parse_url($_SERVER['HTTP_REFERER']);
$referer = "{$infos['scheme']}://{$infos['host']}:{$infos['port']}{$infos['path']}";
}
if (in_array($referer, $trustedReferers)) {
echo "Trusted referer";
} else {
echo "Untrusted referer";
}
By the way, I suggest make changes the business logic that only restrict the domain of the referer. Then the site is easier to maintain.
Related
I have website link http://example.com/link/
How can I handle if it returns from such as: http://facebook.com
I want to check and process event by something like this:
if(return from facebook) {
}
Jquery or PHP is ok.Thank you for your advice.
You could find the referer in PHP using:
$_SERVER['HTTP_REFERER']
if($_SERVER['HTTP_REFERER'] == 'https://facebook.com'){
}
However, you'd probably want to catch anything from facebook;
$sReg = '.facebook.+[a-zA-Z](\/*)';
if(preg_match( $sReg, $_SERVER['HTTP_REFERER'] == 1 ){
}
Note that HTTP_REFERER isn't a sure way of getting the referrer. Often it'll be missing.
See PHP manual for more info
The solution in javascript
if(document.referrer == 'https://facebook.com') {
/* Do somethings */
}
Using Regular Expression:
var myRe = new RegExp('facebook.+[a-zA-Z](\/*)');
if(myRe.test(document.referrer)) {
/* Do somethings */
}
I have a login page that submits to another page while adding a string to the end of the url. Would look something like this 'http://example.com?klc' I know I can use $_SERVER["QUERY_STRING"] to get the string, but now I need to use it in a function to direct the user to a different page, based on the string. This is what I have written in the target file
<?php
$access = $_SERVER["QUERY_STRING"];
function user_admin_redirect($access){
if ($access = "ppl"){
redirect_to("ppl_admin.html");}
else ($access = "klc"){
redirect_to("klc_admin.html");}
}
}
user_admin_redirect($access);
but for some reason the script dies. Any tips would be welcomed. Also, I have the system setup on my website, contact me if you are willing to help I can give you a test login.
$access = $_SERVER["QUERY_STRING"];
function user_admin_redirect($access){
if ($access == "ppl"){
redirect_to("ppl_admin.html");}
else if($access == "klc"){
redirect_to("klc_admin.html");}
}
}
user_admin_redirect($access);
You need to use == and not = when using if
You need to use else if and not just else
I am assuming redirect_to is some custom function that you have written which will redirect you to the mentioned page. If not, you should use header('Location: ' . $location);
I don't think redirect_to is a built-in PHP function.
You might need to use
header("Location:".$myPhpScript);
or you could define redirect_to, like:
function redirect_to($location){
header("Location:".$location);
}
See more here:
php redirect_to() function undefined
How to make a redirect in PHP?
I Got this "HTTP_referer-script" that checks if a visitor comes from a certain URL (password protected) when entering the site. My problem is that It only seems to work if the visitor comes from the absolute right URL. I.e:
If the user comes from: http://mydomain.com it works fine but if the user comes from http://www.mydomain.com it wont work.
Is there anyway to add a second URL to the HTTP_referer in this case the same domain but with "www" aswell?
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer != 'http://mydomain.com/') {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
Thanks a lot!
/a
The contents of $_SERVER['HTTP_REFERER'] are derived from the request the client sends to your webserver. First of all it is important to realize that this information is by no means to be trusted. It is easily faked by the client.
That being said. What you probably want to do is simply check if the domain is part of the $_SERVER['HTTP_REFERER'] string. Because in this case https://domain.com also wouln`t work.
So by your example, use this:
<?php
if ( strstr($_SERVER['HTTP_REFERER'], 'mydomain.com') ) {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
This code simply checks if "mydomain.com" is part of the contents of $_SERVER['HTTP_REFERER'].
Do realize this would also mean: http://www.somedomain.com?test=mydomain.com as referer would also match, but it is not very likely you will run into that situation (nor will it probably matter..)
Use in_array in conjunction with array of urls:
if (!in_array($referrer, array('http://mydomain.com/', 'http://www.mydomain.com/'))) {
die("You do not have access to this site.");
}
Put two if statements as follows.
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer != 'http://mydomain.com/') {
die("You do not have access to this site.");
}
if ($referrer != 'http://www.mydomain.com/') {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
$allowed = array("hello.com","example2.com");
foreach ($allowed as $site) {
if(!preg_match("#$site#", $url))
die("You do not have access to this site.");
else
break;
}
I have a problem with the Mobile Detection Script.
There are two scenarios:
First the script should detect if it's a mobile or not. If mobile, than redirect to another page (this works fine).
The second query should determine, if the person is on the root page or not. If it's not the root page, the layout should be the classic one. (no redirection)
But when I add this line there won't be anymore redirection, even if I open the root page on a mobile.
I also tried to destroy the session on the google_mobile.php (redirected page) and set the $_SESSION['layoutType'] = 'mobile', but anyway the session is set to classic when I open the root page.
Thanks for your help!
Here is the script:
session_start();
require_once 'Mobile_Detect.php';
function layoutTypes() {
return array('classic', 'mobile');
}
function initLayoutType() {
// Safety check.
if (!class_exists('Mobile_Detect'))
return 'classic';
$detect = new Mobile_Detect;
$isMobile = $detect->isMobile();
$layoutTypes = layoutTypes();
// Set the layout type.
if (isset($_GET['layoutType'])) {
$layoutType = $_GET['layoutType'];
} else {
if (empty($_SESSION['layoutType'])) {
$layoutType = ($isMobile ? 'mobile' : 'classic');
} else {
$layoutType = $_SESSION['layoutType'];
}
//check if it's the root page
if ($_SERVER['REQUEST_URI'] != "/")
$layoutType = 'classic';
}
// Fallback. If everything fails choose classic layout.
if (!in_array($layoutType, $layoutTypes))
$layoutType = 'classic';
// Store the layout type for future use.
$_SESSION['layoutType'] = $layoutType;
return $layoutType;
}
$layoutType = initLayoutType();
if ($_SESSION['layoutType'] == 'mobile') {
header("Location: www.example.com/google_mobile.php");
exit;
}
I've tested your code, it seems to work as you described. I'd guess it is a session issue.
session_destroy() does not clear your previous session state in the immediate session. That means your $_SESSION would still be "dirty" in a script even if session_destroy() is the first line in it. It's safer to clear cookies from your browser instead.
One other possible problem would be query string. You're checking the REQUEST_URI and it includes any query string on URI. "/?foo=bar" is certainly not "/". You may want to check SCRIPT_NAME (i.e. $_SERVER['SCRIPT_NAME'] == 'index.php) instead.
I have url like this http://localhost/join/prog/ex.php
When i use GET method the url address like this http://localhost/join/prog/ex.php?name=MEMORY+2+GB&price=20&quantity=2&code=1&search=add
My question is :
so, I still use the GET method but I want to after processing in GET method is finished, I want to the url back(remove parameter) into http://localhost/join/prog/ex.php, as previously (not using POST method). How can i do it?
Put this in your HTML file (HTML5).
<script>
if(typeof window.history.pushState == 'function') {
window.history.pushState({}, "Hide", "http://localhost/join/prog/ex.php");
}
</script>
Or using a backend solution using a session for instance;
<?php
session_start();
if (!empty($_GET)) {
$_SESSION['got'] = $_GET;
header('Location: http://localhost/join/prog/ex.php');
die;
} else{
if (!empty($_SESSION['got'])) {
$_GET = $_SESSION['got'];
unset($_SESSION['got']);
}
//use the $_GET vars here..
}
SIMPLE ANSWER
Just place this in the top of the file you need to make the GET querys disappear from the browser's URL bar after loading.
<script>
if(typeof window.history.pushState == 'function') {
window.history.pushState({}, "Hide", '<?php echo $_SERVER['PHP_SELF'];?>');
}
</script>
i guess after calling the url you want to redirect to the file ex.php , but this time without any parameters.
for that try using the following code in ex.php
<?
if($_GET['name']!='' || $_GET['price']!='' ||$_GET['quantity']!='' ||$_GET['code']!='' || $_GET['search']!=''){
/* here the code checks whether the url contains any parameters or not, if yes it will execute parameters stuffs and it will get redirected to the page http://localhost/join/prog/ex.php without any parameters*/
/* do what ever you wish to do, when the parameters are present. */
echo $name;
print $price;
//etc....
$location="http://localhost/join/prog/ex.php";
echo '<META HTTP-EQUIV="refresh" CONTENT="0;URL='.$location.'">';
exit;
}
else{
/* here rest of the body i.e the codes to be executed after redirecting or without parameters.*/
echo "Hi no parameters present!";
}
?>
here what u did id just redirect redirect to the same page without checking if any parameter is there in the query string. the code intelligently checks for the presence of parameters, id any parameters are there it will redirect to ex.php else it will print "Hi no parameters present!" string!
If you're using apache, consider using a .htaccess file with mod_rewirte.
Here a quickstart. I think this result can be obtained on iis as well with web.config file
You can use removable_query_args filter for that.
add_filter( 'removable_query_args', function( $vars ) {
$vars[] = 'name';
$vars[] = 'price';
$vars[] = 'quantity';
$vars[] = 'code';
$vars[] = 'search';
return $vars;
} );
But you should add specific conditions for your case, otherwise, it will remove these Get-parameters from all other URLs on your site as well.
More info here