I've got an almost empty page that I need for a curl.
The thing is that it is also accessible by a browser and looks weird.
Is it possible in PHP to detect if the request come from a browser or a curl ? So that way I can make a redirect if it comes from browser.
Thank you.
This will get you the client Agent, among other stuff. If your curl does not pretend to be something else, it should do.
foreach (getallheaders() as $name => $value) {
echo "$name: $value\n";
}
or simpler:
$_SERVER['HTTP_USER_AGENT']
gets you the user-agent (browser signatur) directly.
Browser sends User-Agent header in request, if you don't setup User-Agent in curl just check request for this header.
Related
I have a simple PHP script which shows some information to a user. I want to shorten this information as muss as possible if the same page is requested with cURL or saved with Wget.
I saw several similar question on Stackoverflow, but they have some extras like “I want to block cURL” or “redirect a form request if…”. The answers usually tell that it is not possible to detect a cURL request reliably, since cURL lets the user change all request parameters and pretend to be a browser. Thats okay for me, I dont want to block cURL, I want to offer an extra service for a generic cURL (and Wget) request.
If not configured otherwise cURL and Wget use a custom »User Agent« string for their requests.
For example curl/7.47.0 or Wget/1.17.1 (linux-gnu). You can test this easiliy on https://requestb.in.
Several applications may access the User Agent string in the request header. In PHP its available in the $_SERVER['HTTP_USER_AGENT'] variable.
So to detect a cURL or Wget request and offer different content, you may use
<?php
// Catch cURL/Wget requests
if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match('/^(curl|wget)/i', $_SERVER['HTTP_USER_AGENT'])) {
echo 'Hi curl user!';
}
else {
echo 'Hello browser user!';
}
?>
In my app I detect the cURL request and then let the process die() in the if loop. So if its just a browser, the the condition doesnt match and executes all the following PHP code.
As said before, both cURL and Wget allow the user to set an arbitrary User Agent. But for the requested service, this solution is sufficient.
I have a REST API in https://domain1.com
I want to accept requests only from https://domain2.com
Question, Can I rely on the "origin" header to accept request only from https://domain2.com?
Note that Both websites are secured with SSL
It would be something like this:
$headers = getallheaders();
if($headers['origin'] != 'https://domain2.com'){
return FALSE;
}
Relying on the Origin header would be similar to relying on a Cookie. A well-behaved client (such as a browser) will send it with the correct value. An attacker would simply spoof it to whatever value they need to get your service to work.
You can use it as a way to prevent someone from using your API on their site directly from the browser. You cannot use it to prevent someone from using your API via a proxy or accessing it directly to download data.
I will try to explain what I am trying to reach the best way I can.
Let's say there is a page that shows information and it has cookies ( I can see the cookies through Firecookie [Firefox add-on in Firebug]) I am able to print the cookies in my localhost through
$cookies = array();
foreach ($http_response_header as $hdr) {
if (preg_match('/^Set-Cookie:\s*([^;]+)/', $hdr, $matches)) {
parse_str($matches[1], $tmp);
$cookies += $tmp;
}
}
print_r($cookies);
but the original page has request headers, and what I am trying to do is get the request header and make a request to that same page. I guess I have two questions, do I get the request header through COOKIES or separately. And how do I get the request headers of a page and send a request to that page with those request headers? I tried lots of things and couldn't succeed. I don't have the codes I've tried since I constantly try new things therefore can't paste what I have, only the file I pasted.
If you're using PHP with apache you can get request headers using function apache_request_headers.
http://php.net/manual/en/function.apache-request-headers.php
I was wondering if there is any way to check a page has been ran in a browser (by a human) in PHP.
I've got a page that only needs to be accessed through a cURL request. So I don't want users snooping around on it.
any ideas?
thanks
EDIT:
Because this is one of those questions that are not easily found on the web, here's the solution i used:
I came up with an idea thanks to anthony-arnold. Its not very stable, but it should do for now.
I simply sent the user agent in my cURL request:
//made a new var with the user agent string.
$user_agent = "anything I want in here, which will be my user agent";
//added this line in the cURL request to send the useragent to the target page:
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
and then I simply wrote an if statement to handle it:
if
($_SERVER['HTTP_USER_AGENT'] == "my expected useragent - the string i previously placed into the $user_agent var."){
echo "the useragent is as expected, do whatever";
}
else if
($_SERVER['HTTP_USER_AGENT'] != "my expected useragent - the string i previously placed into the $user_agent var."){
echo "useragent is not as expected, bye now."; exit();}
And that did the trick.
Check the User-Agent or use the get browser function to check which browser is requesting your page. You could configure your web server to fail unless a specific user agent is specified. You can set the user agent in cURL using the --user-agent switch (see the man page).
Unfortunately, the user agent can be spoofed so you can never be absolutely sure that the one sent by the client is in fact correct.
There is a problem with this idea though. If it's on the public web, you have to expect that people might try to access it in any way! If the HTTP request is valid, your server will respond to it (under default configuration). If you really don't want it accessed by any method other than your prescribed cURL one, then you might need to invest in some further authentication/authorization methods (e.g. username/passphrase authentication via SSL).
is it possible to send referer information with php?
If you are, for example, fetching the contents of a URL in PHP using cURL, you can send any additional headers you want, including a referrer header.
You can not force the users browser to send a referrer header by any means, especially not with a server side language.
It's not possible to get the client browser to send a different Referer header.
However, it is theory possible for you to do this when conducting an HTTP request from PHP (either using cURL or native URL wrappers), but including a custom request header in this request.
Yes, when trying to load a page, just write the Referer header to the output stream.
Referer is a 'request' header meaning sent by the client i.e. browser. From server side i.e. using PHP you can only control 'response' headers.
If you are planning to make HTTP requests with PHP, that is different of course.
Edit: ..and requests made from the server to the other servers is a pretty common scenario actually. It seems like you should be able to set the headers you want while creating the HttpRequest:
$options = array(headers => $header_array,
httpauth => $credentials);
$r = new HttpRequest($url, HTTP_METH_POST, $options);
Or you can use the addHeaders method:
$r->addHeaders(array('Referer' => 'http://example.com'));