I'm using the following code to restrict traffic to a web site unless it was clicked on from the referral domain. For some reason it doesn't work consistently. Sometimes it restricts the site even though the referral is correct. Have no idea why!
<?php
// This is to check if the request is coming from a specific domain
$ref = $_SERVER['HTTP_REFERER'];
$refData = parse_url($ref);
if($refData['host'] !== 'allowed-domain.com') {
// Output string and stop execution
die("Access Restricted. Internal Use Only.");
}
echo "";
?>
Related
I have a primary domain (example.com) with WordPress installed. A simple domain re-direct from example.com to example-usa.com has been put in place from the hosting control panel.
My client would like a simple welcome message displaying to anyone that has come from example-usa.com.
To achieve this, I opted for the following PHP:
<?php
$host = $_SERVER['HTTP_HOST'];
if ($host == "example-usa.com" or $host == "www.example-usa.com") {
echo '<header><h1>USA Message</h1>';
}
else {
echo '<header><h1>Normal welcome message</h1>';
}
?>
Unfortunately, when the user arrives to the site, the usa domain disappears from the browser URL bar and is replaced with the primary domain. This means my PHP isn't kicking in as it should.
Is there another way I can achieve this? I'd rather not use a plugin or location service.
It's important to note that there are two re-direct options from the clients domain registrar (123-reg). I've currently picked the 301 option as this is a permanent re-direct. I can however, pick a 302 direction which will introduce an iFrame.
I don't think you'll be able to do this with a redirect in your hosting. Your best bet would be to handle the redirect in your code and set a cookie before you do the redirect. Then on the destination side you can check for that cookie before you show the message.
HTTP_HOST contains the current domain, you can use the HTTP_REFERER to check the previous domain. This one will match with your 'usa' domain after the redirect.
Try this:
<?php
$host = parse_url(get_home_url(), PHP_URL_HOST); // will return 'example-usa.com'
if ($host == "example-usa.com" or $host == "www.example-usa.com") {
echo '<header><h1>USA Message</h1>';
}
else {
echo '<header><h1>Normal welcome message</h1>';
}
exit;
?>
Try this. Since you are redirecting user you will need to look at referrer URL^
if (strpos($_SERVER["HTTP_REFERER"], 'example-usa.com') !== false) {
echo 'Welcome to example.com';
}
I am trying to get the URL of the site which referred the user to the site with the script on it.
Here is the script I am using:
if (isset($_SERVER['HTTP_REFERER'])) {
$ref_url = $_SERVER['HTTP_REFERER']; //get referrer
}else{
$ref_url = 'none'; // show failure message
}
echo $ref_url;
The issue I am having is that no matter what site I come to the main site from, I always get 'none' echoed. What is causing this and how can I make the script actually get the referrers URL?
I'm attempting to use strpos to see if a HTTP_REFERER contains a certain URL ($referral), but for some reason the following code isn't working. However, if I replace the variable $referral with a string of the same contents, it seems to work. Can anyone tell me why, or what I'm over looking?
//$_SERVER['HTTP_REFERER'] = http://www.example.com/something/somefile.php
$referral = 'http://www.example.com/';
$server = $_SERVER['HTTP_REFERER'];
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
//outputs 'false'
Perhaps $server is not http://www.example.com/something/somefile.php.
When using:
$referral = 'http://www.example.com/';
$server = 'http://www.example.com/something/somefile.php';
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
Output is true
How, and if the $_SERVER['HTTP_REFERER'] is set depends on the user agent. This value needn't be set, and even if it is, it's not reliable. Taken from the PHP documentation:
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
That's, I think, what you're overlooking here.
If you are accessing domain without any path eg: http://www.example.com, then your script would return false since there is no backslash at the end. Also you may not be opening the site with www or having and ssl (https)
Could you please post var_dump($server) on the page it doesn't work?
I'm trying to load content from a different page if the user came to the page with NO referrer or if the user types my page in directly.
This is the code I would like to alter to be able to achieve this.
The code below redirects based on if the user has 1 of the IPs listed below, it will load the fakepage.php. I would like to alter this script so it can work if there is NO referrer, or if the user types in my url directly.
<?php
$banned = array('56.150.186.229','89.103.221.49');
$userIP = $_SERVER['SERVER_ADDR'];
if(in_array($userIP,$banned)) {
include_once('fakepage.php');
} else {
include_once('realpage.php');
}
?>
I'm trying to make this look as seamless as possible, so the user will not know they were redirected
Use $_SERVER['REMOTE_ADDR'] to get the users ip (you may need another header if you are running behind a proxy or similar. Then check to see if $_SERVER['HTTP_REFERER'] is empty for your second condition.
$banned = array('56.150.186.229','89.103.221.49');
$userIP = $_SERVER['REMOTE_ADDR']; // likely users ip
$noReferer = empty($_SERVER['HTTP_REFERER']);
if(in_array($userIP,$banned) or $noReferer) {
include_once('fakepage.php');
} else {
include_once('realpage.php');
}
I'm trying to blocked website based proxy's. These are normally in the format of:
http://3.hidemyass.com/ip-8/encoded/Oi8vZ29kbGV5ZGVzaWduLmNvLnVrL0xDcmVkaXJlY3QvZnVuY3Rpb25zL2Z1bmN0aW9
My theory of blocking these is to get the URL of the address bar and check that it's actually direct access to my site, rather than visiting via a website proxy.
However, when i try to visit my site and attempt to capture the url of the user it still reports that its my sites url.. not this web based proxy one.
I've tried the following ways of detecting it:
$url= $_SERVER['HTTP_HOST']; //get the url
$url = $_SERVER["SERVER_NAME"];
any ideas on how to resolve this?
UPDATE
Ok i've rewrote part of this, however it always seems to be returning false... the $url is being passed correct as i can echo this out within the function. However it doesnt seem to be matching and returning false
<script>
var url = window.location.href;
<?php $url = "<script>document.write(url)</script>"; ?>
</script>
<?php
//
function checkURLIsSafe($url){
if(preg_match('/www/',$url)){
echo 'true';
} else {
echo 'false';
}
}
checkURLIsSafe($url);
?>
PHP runs on the server. It can only see the URL that was requested from it.
hidemyass.com will be requesting the normal URL from your server. There is no way to tell what URL the browser requested from hidemyass.com.
Approaches you could take include:
Checking the source ip against a list of known proxies
Using client-side JavaScript to read location.href
You cant do it with PHP only. What you can do is to check window.location.href with javascript, and if it's incorrect, send ajax request to server, which will block IP address.