Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm interested how can I detect a source of the visit - is it a direct link, via referrer or via search engine, and using PHP?
More concise, when someone access my website by directly typing the http://ww.mysite.com in their browser, how can I detect such visitors (using PHP)?
Each request has a referer, i.e. a URL which the user came from. PHP provides this information in the $_SERVER['HTTP_REFERER'] variable.
If a user accessed your website directly, i.e. via direct type-in or a bookmark, the referer is empty.
Note that some browser add-ons and “security software” will remove the referer for privacy reasons.
But if it's just for statistical purposes, you may assume that the referer is valid in 99.9% of all page views.
But remember: The referer can easily be forged to contain any value the visitor wants it to be. Including malicious code like XSS or SQL injection. Be careful when processing it.
There is no way to know for sure, but $_SERVER['HTTP_REFERER'] is not set, then it is likely to be a direct visit. You can also add parameters to links that you use in advertising to help you track the source, for example you might place adverts with links to example.com/?source=my-advertising-campaign
Try this:
$_SERVER['HTTP_REFERER']
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed last year.
Improve this question
I wanna show users websites in their profiles but I don't know after I validate the user's input format to be the valid URL (https://userwebsite.com), is it safe to use that input in a tag (<a href="https://userwebsite.com">) to redirect other users to that website? if it's not safe is there any way to check the URL??
how facebook and others handle this situation like example below
https://www.facebook.com/pages/Restaurant-El-Reda-libanesische-und-iranische-Spezialit%C3%A4ten/169985763015422
This is a great question. There are many sites that provide the ability for users to enter URLs that are then provided as links. This has been bread and butter of forums for a long time.
The challenge is that we want to make sure that the URL is valid and doesn't encourage people to visit malicious sites. For the first part (is the URL valid) there are plenty of libraries out there that can check the URL for example urlparse for python. (Sorry I don't know PHP well enough to provide the equivalent example).
The second part is a little more interesting and depends on your circumstances. If you are running a non commercial site then Google Safe Browsing offers an API which I believe will allow you to filter out malicious links. If you are running a commercial site then there are alternatives for example SophosLabs Intelix.
In summary I believe that it is safe to do what you are asking as long as:
You validate that the URL is valid
You put reasonable checks in place to prevent users posting links to malicious content
You provide appropriate disclaimers to cover you against the content on external sites
It is absolutely not.
Keep this in mind that accepting anything from user means danger, this is you that should handle the danger in a safe way.
You can get a URL from a user but it might be harmful for others ...
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
i was making a website in php and i am using forms and post requests for many things. In order to test and debug the GET requests i used a chrome extension called postman. I noticed that this extension has also POST requests. What would happen if for example make a post request on facebook with my facebook password? The credentials would be correct and also the request will hit the correct target but again what would happen? Can i just make post requests to any website like that?
You can POST to any website you'd like. Facebook is a bit more difficult due to session cookies and their authentication process, but give it a try and see how it works out for you.
+points for exploring how HTTP works
Websites should treat POST input as user input and as such should validate and sterilize it as needed, nothing should prevent you from attempting such a thing but the complexity of the request and the legal standpoint of faking/automating requests to a site without informing them (I am not a lawyer).
If you want to attempt such a thing while being a good "internet citizen" I'd recommend you to take the following precautions:
Set a user agent different than the normal web browser.
Do not flood websites with attempts.
Do not use a profile you are using in day to day life, as it may be blocked for spam or by the IDS.
Look up if there are test/development flags you can set to let the website know you are testing/developing.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I want to show certain content if traffic comes to my wordpress site from google search. I want to use $_SERVER["HTTP_REFERER"] . Security is not a huge issue -- if some client really wants to lie that they are coming thru google that is no big deal (they'll just see an ad). I also understand that I need to check what they send through $_SERVER["HTTP_REFERER"] for malicious code. However, I see that according to answers in this post Determining Referer in PHP not all browsers send HTTP_REFERER.
What browsers don't send it? What versions?
When the referring site has SSL turned on, it will often not include the HTTP_REFERER. As you can imagine, this is by design for security purposes. Code accordingly.
This makes it difficult to know when visitors are coming from sites like youtube and gmail which use SSL by default.
Also this question is similar:
Is there referrer header while using SSL?
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am experimenting on a blogging website like Tumblr, Blogger...[etc]. In a blogging website user should have full control over what they're posting.
So if I allow users to include Javascript code in blog posts, would that make my site vulnerable to XSS attacks ? (which I think it will)
So what would be the best way ;
Allow users to include Javascript in HTML
Block all the Javascript code.
Something else...(which i don't know)
I am using PHP/MySQL
No, it's generally a very bad idea to allow Third parties to execute/inject code into your site. That's just asking for trouble.
Most XSS vulnerabilities come from cookies, and/or same-origin requests (e.g. they could POST to the delete account page).
Sites such as tumblr circumvent this by using subdomains. A request from http://foo.example.org to http://example.org is treated the same as a request from http://example.com (cross-origin). No cookies will be passed, so there is no XSS vulnerability.
Of course there are still rootkit scripts around, but users take that risk going to any site with an outdated browser. Make sure to disclaim that somewhere.
No, it's a bad Idea, also don't forget that not all your users have some knowledge in informatics, else if Your want a site for developer your can use for example some websites API like jsfiddle http://doc.jsfiddle.net/api/
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
For example, when a user adds a question to a Q&A site, that question typically gets its own web page, and that web page was created on-the-fly. How can you do this with PHP? Could anyone point me to any resources? Thanks.
By "that question typically gets its own web page" you are referring to "gets its own url". For example, this one is How do you allow users to dynamically create a web page within a web app?.
It's really just a trick. Very simplified:
When you submitted this question, it got a unique identifier 3723813 and was inserted into a database.
There is a single controller script that deals with questions, say https://stackoverflow.com/questions.php
When someone tries to open this page, the server knows to send it to questions.php by using a module such as mod_rewrite for apache.
Then, questions.php looks at the url parameters, takes the unique id for this question, 3723813, and loads up its information from the database in order to display it.
The rest of the url is just cosmetic and just there so that we can right away know what question it is before opening the page.
"How to" on this is bigger than a normal Stackoverflow question.
Maybe have a look here for some ideas(I'm just quickly scanning through it right now, can't really say if it's a great tutorial or not right now): http://www.tuttoaster.com/how-to-create-a-forum-in-php-from-scratch/
If you're a php novice, it may be better to look for one of the open source PHP forum applications like http://www.phpbb.com/ or something like that (phpbb just being the first that came to mind). That will be a lot more code to sort through, but the more popular open source applications will likely already know how to deal with security concerns like cross site scripting attacks and sql injection attacks.