I Got this "HTTP_referer-script" that checks if a visitor comes from a certain URL (password protected) when entering the site. My problem is that It only seems to work if the visitor comes from the absolute right URL. I.e:
If the user comes from: http://mydomain.com it works fine but if the user comes from http://www.mydomain.com it wont work.
Is there anyway to add a second URL to the HTTP_referer in this case the same domain but with "www" aswell?
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer != 'http://mydomain.com/') {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
Thanks a lot!
/a
The contents of $_SERVER['HTTP_REFERER'] are derived from the request the client sends to your webserver. First of all it is important to realize that this information is by no means to be trusted. It is easily faked by the client.
That being said. What you probably want to do is simply check if the domain is part of the $_SERVER['HTTP_REFERER'] string. Because in this case https://domain.com also wouln`t work.
So by your example, use this:
<?php
if ( strstr($_SERVER['HTTP_REFERER'], 'mydomain.com') ) {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
This code simply checks if "mydomain.com" is part of the contents of $_SERVER['HTTP_REFERER'].
Do realize this would also mean: http://www.somedomain.com?test=mydomain.com as referer would also match, but it is not very likely you will run into that situation (nor will it probably matter..)
Use in_array in conjunction with array of urls:
if (!in_array($referrer, array('http://mydomain.com/', 'http://www.mydomain.com/'))) {
die("You do not have access to this site.");
}
Put two if statements as follows.
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer != 'http://mydomain.com/') {
die("You do not have access to this site.");
}
if ($referrer != 'http://www.mydomain.com/') {
die("You do not have access to this site.");
}
// put your page code here
?>
<h1>Content here</h1>
$allowed = array("hello.com","example2.com");
foreach ($allowed as $site) {
if(!preg_match("#$site#", $url))
die("You do not have access to this site.");
else
break;
}
Related
I am trying to (somehow) secure an Ajax - PHP connection. using the $_SERVER['HTTP_REFERER'] I need to validate the HTTP_REFERER for two pages as products.php (all products) and product.php (single product). Can I use PHP in_array() to handle this, something like:
$referers = array("https://example.com/products.php", "https://example.com/product.php");
if (#isset($_SERVER['HTTP_REFERER']) && in_array($_SERVER['HTTP_REFERER'], $referers))
{
}
If so, how can I handle the dynamic URL parameters with https://example.com/product.php ? for example if I have https://example.com/product.php?sku=96 or https://example.com/product.php?sku=300 this is not gonna work with in_array() as it is different than what are listed in the $referers even though the source are correct.
$_SERVER['HTTP_REFERER'] is not guaranteed to be set and not guaranteed to be the original referer. You might use a session variable:
//products.php and product.php
session_start();
$_SESSION['ref'] = basename(__FILE__);
//other.php
session_start();
$referers = array("products.php", "product.php");
if (isset($_SESSION['ref']) && in_array($_SESSION['ref'], $referers))
{
}
Keep in mind that if you hit the products.php and then another.php and then other.php that $_SESSION['ref'] will still be products.php, so you either want to set it in all files or unset() it in other files.
<?php
$trustedReferers = array("https://example.com/products.php", "https://example.com/product.php");
$referer = '';
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']) {
$infos = parse_url($_SERVER['HTTP_REFERER']);
$referer = "{$infos['scheme']}://{$infos['host']}:{$infos['port']}{$infos['path']}";
}
if (in_array($referer, $trustedReferers)) {
echo "Trusted referer";
} else {
echo "Untrusted referer";
}
By the way, I suggest make changes the business logic that only restrict the domain of the referer. Then the site is easier to maintain.
I'm sorry I couldn't come up with a more fitting title but here is what hope to achieve with PHP:
I have a page with url www.foo[.]com/mypage
I only want that page or url to be accessible if it comes with ?user=$email so if someone tries to visit the url without ?user=$email, they get redirected somewhere else.
How do I define that condition?
Try this script !!!
if(!isset($_GET['user'])){
header("location:./");
}
elseif(isset($_GET['user']) && $_GET['user']==''){
header("location:./");
}
Hi #Edwin here is the solution for you question.
<?php
if(!isset($_GET['user']) && $_GET['user']!='' && $_GET['user']!=null) {
header("Location: http://www.foo[.]com");
} else {
header("Location: http://www.foo[.]com/somepage");
}
?>
In your mypage Page at TOP(Very First line) just write following code
<?php
if(!isset($_GET['user']) || (isset($_GET['user']) && $_GET['user'] == "") ){
header("Location: http://www.foo[.]com");
}
?>
Here I not only check if $_GET['user'] is available or not, I also check that there mus be some value pass to. Here you also no need to write else{} to continue.
I have a login page that submits to another page while adding a string to the end of the url. Would look something like this 'http://example.com?klc' I know I can use $_SERVER["QUERY_STRING"] to get the string, but now I need to use it in a function to direct the user to a different page, based on the string. This is what I have written in the target file
<?php
$access = $_SERVER["QUERY_STRING"];
function user_admin_redirect($access){
if ($access = "ppl"){
redirect_to("ppl_admin.html");}
else ($access = "klc"){
redirect_to("klc_admin.html");}
}
}
user_admin_redirect($access);
but for some reason the script dies. Any tips would be welcomed. Also, I have the system setup on my website, contact me if you are willing to help I can give you a test login.
$access = $_SERVER["QUERY_STRING"];
function user_admin_redirect($access){
if ($access == "ppl"){
redirect_to("ppl_admin.html");}
else if($access == "klc"){
redirect_to("klc_admin.html");}
}
}
user_admin_redirect($access);
You need to use == and not = when using if
You need to use else if and not just else
I am assuming redirect_to is some custom function that you have written which will redirect you to the mentioned page. If not, you should use header('Location: ' . $location);
I don't think redirect_to is a built-in PHP function.
You might need to use
header("Location:".$myPhpScript);
or you could define redirect_to, like:
function redirect_to($location){
header("Location:".$location);
}
See more here:
php redirect_to() function undefined
How to make a redirect in PHP?
I need some javascript or php code to detect if user has linked directly to me site's page so I can then redirect it to the homepage.
Is this possible?
Check is the the host of your server is in the http_referer (it is the last url visited by the user).
function is_direct_link() {
return (!empty($_SERVER['HTTP_REFERER']) && stripos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) === false);
}
if (is_direct_link()) {
header('location: http://www.google.com');
exit();
}
<?php
$referrer = $_SERVER['HTTP_REFERER'];
// see if they are visiting from another website
if (!empty($referrer) && stripos($referrer, 'mydomain.com') === false)
{
// redirect them to the main site
header('Location: http://mydomain.com/');
// stop php from going further
exit;
}
Something like that is (i think) what you're looking for.
If the referrer is empty, this will redirect to the home page:
<?php
if(!empty($_SERVER['HTTP_REFERER']) && stripos($_SERVER['HTTP_REFERER'], 'example.com') header("Location: example.com");
?>
Note that the referrer is not bulletproof by any stretch but it does the basic job.
How would I check if the user did not come from the same website? So for example if a user types in the URL in the browser to a direct page then they would have accessed that page without coming from another page in the site.
So something like:
if(!user not from same url)
{
//do some stuff
}
$this->referer() in controller?
Edit: Well, for your purpose, you can directly use this:
$referer = env('HTTP_REFERER');
if(empty($referer)){ echo 'jazz'; }
because $this->referer() behaves a little differently. It won't return false or null or empty string.
$referer = env('HTTP_REFERER');
if(empty($referer) && $this->Session->check('Auth.redirect') == false)
{
echo 'user didn\'t come website and wasn\'t redirect from the auth component';
}