At the moment I am testing an idea. What I want to do is display extra content on a webpage if the person visiting comes from a designated location.
I was able to make the code work using 'HTTP_REFERER' – Though this only works from websites and in this instance I want to detect whether the browser / person came from an Intranet which is behind a proxy server that is stripping out any referrer information.
Below is my current code.
I am searching for a viable option / equivalent.
Any thoughts would be very much appreciated.
<?php
$content = "hello world";
$referrer = $_SERVER['HTTP_REFERER'];
$explodestring = explode('/',$referrer);
$explodestring = $explodestring['2'];
if ($explodestring == "www.domain.com") {
echo $content;
}
?>
You can find that in $_SERVER['X-Forwarded-For'].
Related
I've been trying to get the URL (including GET parameters) of a site that is displaying my image. This is because I want to extract one parameter of the URL.
A friend told me that she knew someone that could achieve this, but I don't know if he was doing it with an image. Also I don't think I can do it with a link because when going to external sites it will appear a warning page saying that you're being redirected outside, so if I put a link to my page and someone clicks, I will get the referrer URL of redirection warning page. I can't assure if my friend was telling the truth about this, but it's very likely that it was true.
All I could get with the image was the IP and other things of the HTTP header, but the referrer part is empty and I thought that the referrer contained the full URL I'm talking about.
This is what I have tried.
First the img tag in the other site in BBCode:
[img]http://______.com/get_image.php?i=myimage[/img]
And in my site this script in PHP, although any language that does the work would be good for me:
<?php
// Get name of image to be displayed (non-sanitized here for simplicity)
$filename = $_GET["i"];
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['HTTP_REFERER'])) {
$visitor_url = $_SERVER['HTTP_REFERER'];
} else {
$visitor_url = "none";
}
// And write the referrer to a file just to test if it works
$fp = fopen('referer.txt', 'w');
fwrite($fp, $visitor_url);
fclose($fp);
// Eventually display the image
header('Content-Type: image/png');
readfile($filename . '.png');
?>
So my questions are:
Is it possible to get full URL of a site that is displaying my image?
If not, is there any other method to get the full URL?
Thank you in advance.
Note: I don't have any permision in the other site where I'm posting the image, I'm just an user there. Please tell me if I'm missing something or I have to ask this in another way, I'm new to StackOverflow.
Try REMOTE_HOST instead of HTTP_REFERER:
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['REMOTE_HOST'])) {
$visitor_url = $_SERVER['REMOTE_HOST'];
} else {
$visitor_url = "none";
}
The web server where you are serving the image will need to be configured properly. If using Apache, this is with HostNameLookups On.
See http://php.net/manual/en/reserved.variables.server.php
Normally browsers are sending full referer with all URL components including query parameters - $_GET params. If they don't then there is no other way to achieve that URL while passing throught an image content.
Sometimes sending referer may be blocked, for eg. in some batch URL processing using some crawler like program/script or on some proxies.
In PHP receiving referer is done by $_SERVER['HTTP_REFERER'] because it's normally just http header from request and it's the only $_SERVER array key with referer info.
You added the .htaccess tag so I think you're using the Apache web server. If you'd like to prevent the issue entirely, you can disable hotlinking entirely by going one layer lower. Instead of managing in PHP, you can configure the web server to not serve content to domains other than the one you are hosting.
Check out the guide for more details.
I fixed this problem by switching my site (where image is hosted) to HTTPS. The code in my question was doing its job correctly.
It looks that HTTP_REFERER was blank because of it coming from an HTTPS site and my site being HTTP it would always send it blank. I was aware that it could be a problem, but didn't make much sense for me because HTTP_REFERER was also blank when coming from another HTTP site (which I think it's not normal) so I thought the error was in another place.
Usually HTTP_REFERER is sent when it comes from and goes to:
from HTTP to HTTP
from HTTPS to HTTPS
from HTTP to HTTPS
But it's not sent when it comes from and goes to:
from HTTPS to HTTP
And in my case, I don't know why, it wasn't being sent from HTTP to HTTP which was confusing me.
I'm trying to blocked website based proxy's. These are normally in the format of:
http://3.hidemyass.com/ip-8/encoded/Oi8vZ29kbGV5ZGVzaWduLmNvLnVrL0xDcmVkaXJlY3QvZnVuY3Rpb25zL2Z1bmN0aW9
My theory of blocking these is to get the URL of the address bar and check that it's actually direct access to my site, rather than visiting via a website proxy.
However, when i try to visit my site and attempt to capture the url of the user it still reports that its my sites url.. not this web based proxy one.
I've tried the following ways of detecting it:
$url= $_SERVER['HTTP_HOST']; //get the url
$url = $_SERVER["SERVER_NAME"];
any ideas on how to resolve this?
UPDATE
Ok i've rewrote part of this, however it always seems to be returning false... the $url is being passed correct as i can echo this out within the function. However it doesnt seem to be matching and returning false
<script>
var url = window.location.href;
<?php $url = "<script>document.write(url)</script>"; ?>
</script>
<?php
//
function checkURLIsSafe($url){
if(preg_match('/www/',$url)){
echo 'true';
} else {
echo 'false';
}
}
checkURLIsSafe($url);
?>
PHP runs on the server. It can only see the URL that was requested from it.
hidemyass.com will be requesting the normal URL from your server. There is no way to tell what URL the browser requested from hidemyass.com.
Approaches you could take include:
Checking the source ip against a list of known proxies
Using client-side JavaScript to read location.href
You cant do it with PHP only. What you can do is to check window.location.href with javascript, and if it's incorrect, send ajax request to server, which will block IP address.
I want to make a count of visits to my website from referal websites. I know there are many programs such as Google analytics but there will show you that my taffic is coming from www.facebook.com for example. I want to check if the traffic is coming from some specific urls that I specify such as www.facebook.com/myfanpage.
Befor I think about php I tried several methods with javascript that they did not seem to function the way I wanted to. For my search for php I only found this function. Any Ideas ?
$_SERVER['HTTP_REFERER']
$_SERVER['HTTP_REFERER'] Will do exactly what you need.
if (strstr($_SERVER['HTTP_REFERER'], 'facebook.com') !== false) {
// Facebook brought me to this page.
}
elseif (strstr($_SERVER['HTTP_REFERER'], 'google.com') !== false ) {
// Google brought me to this page.
}
Sorry, I know this is 6 months late but surely if the url was http://mydomain.com/?p=facebook.com then this would also be true? a better way would be to explode the referrers url based on / then extract the 4th section i.e.
$refererUrl = $_SERVER['HTTP_REFERER'];
$Exploded_URL = explode("/",$refererUrl);
$urlToCheck = $Exploded_URL[3].'.'.$Exploded_URL[4];
if($urlToCheck == 'facebook.com'){
/* From Facebook */
} elseif ($urlToCheck == 'google.com'){
/* From Google */
}
$_SERVER['HTTP_REFERER'] should contain the URL that the user is coming from to get to your page. It's not a function. It's simply a value. So you can use it for this purpose.
Do note, however, that the value is easily spoofed. (It's taken from the HTTP request header, and the user can send whatever they want.) It should be acceptably reliable if you're just collecting stats for your own interest or whatever. But if you're trying to use it to secure the page (e.g., only show certain content if the visitor came from a certain URL), forget it.
You will be able to check only if the HTTP Request has referer which is actually accessible in PHP using HTTP_REFERER. So its solely responsible from the referring website.
Get original URL referer with PHP?
The above post also will help you.
At my work I often need to figure out where our traffic comes from. We buy google ads and that traffic gets identified by a query string in the url. (mywebsite.com/?x="google_ad_group_4").
On every page I include some sessions stuff that sets $_SESSION['x'] to $_GET['x'] if $_GET['x'] is there. If there is no $_GET['x'] I go through some other options to see where they came from and set that in $_SESSION['x']:
$refurl = parse_url($_SERVER['HTTP_REFERER']);
$query = $refurl['query'];
parse_str($query, $result);
if (isset($result['q'])&& strstr($_SERVER['HTTP_REFERER'],'google')) {
$_SESSION['x'] = 'G-'.str_replace('\\"',"X",$result['q']);
}elseif (isset($result['p'])&& strstr($_SERVER['HTTP_REFERER'],'yahoo')) {
$_SESSION['x'] = 'Y-'.$result['p'];
//took out bing, aol, ask etc in the name of brevity
}else{
if ($refurl['host']){
$_SESSION['x'] = $_SESSION['x'].'_ref-'.$refurl['host'];
}
}
This way I can append the search query that brought the user to the site and what search engine they used. I log the incoming $_SESSION['x']'s.
Many users are coming in with $_SESSION['x']'s of "_ref-mywebsite.com" which doesn't make sense, if they were coming from my own domain, they'd have already had a $_SESSION['x'] set on whatever page they'd been on. Is this because they have their browser's security turned up high or something?
Am I missing something obvious? Is there a smarter way to do this?
You can get the referrer like this
echo $_SERVER['HTTP_REFERER'];
But as mentioned in comment, it can easily be manipulated.
Unless the client (the browser) passes you the "HTTP_REFERER" in the heading, you won't get it. And that depends on the site they come from.
I don't know what your workflow is like, but one thing you can do is get it with JavaScript and pass it to your PHP script. Hope this helps.
I think that a possible scenario is:
A new visitor comes to the website with normal referrer;
He closes his browser(this clears his session cookie) with the website's tab opened;
Reopens the browser with the website restored in old tab;
Clicks on any link on the page and gets to another page with referrer from same domain and clean session.
So I am trying to get the page where a visitor came from. I inserted this code into a php file and I am trying to see the page's URL but it is not working, any suggestions?
<?php
$ref = getenv("HTTP_REFERER");
echo $ref;
?>
(added this after some answers)
I have also tried
print $_SERVER["HTTP_REFERER"];
and that doesn't work either
it worked after i updated the website many times, not sure why was there a problem in the first place, thanks anyway :)
Have you tried accessing through the $_SERVER superglobal?
print $_SERVER["HTTP_REFERER"];
$_SERVER['HTTP_REFERER'] is the best way to access this information.
Based on your comments on other responses:
Are you actually coming from somewhere? If you refresh your browser this value will likely not be sent. So make sure your browser is sending the header. If you put this script on a public url, I'll be happy to check it out and verify.
You should really turn on all errors. If the header is not sent and you access it anyway, PHP will emit an E_NOTICE. If you're debugging your code you should turn on all error message and make sure there are no E_NOTICE's or worse.
Maybe a stupid remark, but $_SERVER["HTTP_REFERER"] only works if you enter the page using a hyperlink.
e.g.
/goto.html
go to refer
/refer.php
<?php
print "You entered using a link on ".$_SERVER["HTTP_REFERER"];
?>
HTTP_REFERER doesn't work if you enter the link location directly in your browser.
getenv() is used if it's being run as a CGI script. With a SAPI you use $_SERVER["HTTP_REFERER"].
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The above code works! However, many of my students find it hard, at first, to grasp that $_SERVER['HTTP_REFERER'] requires arriving from a link.
I give them the below (tested) code (or "web page") to demonstrate. The above code is at the bottom.
show-referer.php
<?php
if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
$referer = $_SERVER['HTTP_REFERER'];
} else {
$referer = 'No Link - No Referer - Direct URL Entry';
}
echo $referer;
?>
<p>See the referer in action
from this page!
</p>
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The show-referer.php page links to itself when you click the link, which should cause the browser to generate an HTTP_REFERER.
$ref = $_SERVER['HTTP_REFERER'];
Relevant manual page: http://php.net/manual/en/reserved.variables.server.php
If you compute all these answers, you end up with something looking like :
<?php
if isset($_SERVER['HTTP_REFERER']) {
$ref = $_SERVER['HTTP_REFERER'];
}
else {
$ref = "Direct Entry";
}
?>
Again, read http://php.net/manual/en/reserved.variables.server.php:
With HTTP_REFERER there is a comment:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.