I'm still new to php and still experimenting about. I'm getting an undefined index for the variable :
$httpreferer = $_SERVER['HTTP_REFERER'];
The entire code of the page is:
<?php
ob_start();
session_start();
$current_file = $_SERVER['SCRIPT_NAME'];
$httpreferer = $_SERVER['HTTP_REFERER'];
function loggedin(){
if(isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])){
return true;
}
else
{
return false;
}
}
?>
Sorry if this is a lame question. I'm still a beginner.
Thanks in advance.
The browsers (clients) are free to send any HTTP headers they like. You cannot trust them!
Check whether the client provided one using isset():
if (isset($_SERVER['HTTP_REFERER'])) {
// do something
}
Bear in mind that this not tell anything about the data itself. It may be anything.
If the visitor doesn't have a referrer (for various reasons he may not, like directly accessing a page - and not clicking a link on another website, or coming from an HTTPS link), then this variable will not be there.
What you can do is this
$httpreferer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
This is a ternary operator.
http://php.net/manual/en/language.operators.comparison.php
Related
I'm attempting to use strpos to see if a HTTP_REFERER contains a certain URL ($referral), but for some reason the following code isn't working. However, if I replace the variable $referral with a string of the same contents, it seems to work. Can anyone tell me why, or what I'm over looking?
//$_SERVER['HTTP_REFERER'] = http://www.example.com/something/somefile.php
$referral = 'http://www.example.com/';
$server = $_SERVER['HTTP_REFERER'];
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
//outputs 'false'
Perhaps $server is not http://www.example.com/something/somefile.php.
When using:
$referral = 'http://www.example.com/';
$server = 'http://www.example.com/something/somefile.php';
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
Output is true
How, and if the $_SERVER['HTTP_REFERER'] is set depends on the user agent. This value needn't be set, and even if it is, it's not reliable. Taken from the PHP documentation:
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
That's, I think, what you're overlooking here.
If you are accessing domain without any path eg: http://www.example.com, then your script would return false since there is no backslash at the end. Also you may not be opening the site with www or having and ssl (https)
Could you please post var_dump($server) on the page it doesn't work?
I have a question, i want to make some search page, and it needs a get variable to sort the results. So if someone enters the page without that GET variable, reload the page and make it appear, for example you enter www.myweb.com/search and automatically reloads and changes to www.myweb.com/search/?sort=ascending (because that variable is necessary) .
I hope you understand me, good bye
I think this will work for what you're looking to do:
if (empty($_GET['sort'])) {
header('Location: ' . $_SERVER['REQUEST_URI'] . '?sort=ascending');
exit();
}
From within the file executed when www.myweb.com/search is requested, you should have a default setting when $_GET['sort'] isn't available. For this Answer, I'll be using PHP for my examples since you didn't specify.
<?php
if (empty($_GET['sort'])) {
$sort = 'ascending';
}
// the rest of your code
Alternatively, you could force a redirect, but the previous example is more elegant.
<?php
if (empty($_GET['sort'])) {
header('Location: www.myweb.com/search/?sort=ascending');
exit;
}
Keep in mind, the second solution would throw away anything else, i.e., other $_GET's, like item=widget or color=blue
Note to others posting !isset as an answer. That will not work! Example:
www.myweb.com/search/?sort=&foo=bar
!isset($_GET['sort']) === false!
empty($_GET['sort']) is the proper route to take in this circumstance.
It is better to define the variable by yourself rather then redirecting. Just check with isset if the variable is defined or not. It it has not been defined you can set it yourself as below.
if(!isset($_GET['sort']))
{
$_GET['sort']='ascending";
}
How do I create a PHP script that will redirect to a custom URL when link added in the URL. For instance, when a user visits this:
http://mydomain.com/link.php?=http://www.google.com
It should redirect them instantly to google.
Ideally, is it possible to ensure that the click itself came locally?
I am aware that this is most likely a very basic PHP code but note that my knowledge of it is very limited which is restricting me from writing it.
You can use the HTTP_REFERER of $_SERVER variable to check whether it is from the local domain.
Reference: http://php.net/manual/en/reserved.variables.server.php
For redirection, try using the below
http://mydomain.com/link.php?r=http://www.google.com
header("Location:".$_GET['r']);
Reference: http://in3.php.net/manual/en/function.header.php
I hope the following works for you, you can hard code the $domain variable as mydomain.com
$url = "http://www.php.net/index.html";
$domain = str_ireplace('www.', '', parse_url($url, PHP_URL_HOST));
$refDomain = str_ireplace('www.', '', parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST));
if(strcmp($domain, $refDomain) == 0)
{
//your code goes here
header("Location:".$_GET['r']);
}
http://mydomain.com/link.php?url=http://www.google.com
<?php
header("Location: {$_GET['url']}");
?>
This?
Ok, I would like to add a complete answer here.
You could use header to send a redirect header like MrSil said,
header("Location: $url"); // will redirect to $url!
If you want to prevent other people from using your redirect script, you can do something like:
$ref = $_SERVER['HTTP_REFERER'];
$host = parse_url($ref, PHP_URL_HOST);
if($host !== "mydomain.com"){
// out side request
}
But then, HTTP_REFERER can be easily spoofed. So, what would be a better check?
CSRF Protection. It might look like overkill, and it is also not the perfect way to do this stuff, but it helps.
Also, I don't think a perfect solution exists.
Read this for further info about CSRF.
Let say we've the following
Objective : User will post certain exact URL $refere to lock viewing text content and only be allowed for view if the viwer is coming from the same exact URL $refere.
$refere = "http://www.site_site.com"; // User will post it
$r = $_SERVER['HTTP_REFERER']; // To get real referral
and i want to do the following
<?PHP
if(stripos($r, $refere) == false){
echo "Wrong";
} else { ?>
echo "Go";
}
?>
It always gives me $r = $_SERVER['HTTP_REFERER']; blank ! so does it deprecated on any PHP version 4 or 5 whatever !
Also
what is the user posted $refere like https:// or missed www. or only posted site_site.com while the $r = $_SERVER['HTTP_REFERER']; showing www.site_site.com
so can anyone help me to adjust this code to be working fine no matter the user posted the $refere link fully or only site_site.com.
The $_SERVER['REFERER'] variable will only be set when you click a link to your page from another page and if the browser (or an eventual proxy or firewall you're on) isn't removing the referer header.
To your second question: do some string comparisons. The functions strpos() and substr() will be of great help.
So I am trying to get the page where a visitor came from. I inserted this code into a php file and I am trying to see the page's URL but it is not working, any suggestions?
<?php
$ref = getenv("HTTP_REFERER");
echo $ref;
?>
(added this after some answers)
I have also tried
print $_SERVER["HTTP_REFERER"];
and that doesn't work either
it worked after i updated the website many times, not sure why was there a problem in the first place, thanks anyway :)
Have you tried accessing through the $_SERVER superglobal?
print $_SERVER["HTTP_REFERER"];
$_SERVER['HTTP_REFERER'] is the best way to access this information.
Based on your comments on other responses:
Are you actually coming from somewhere? If you refresh your browser this value will likely not be sent. So make sure your browser is sending the header. If you put this script on a public url, I'll be happy to check it out and verify.
You should really turn on all errors. If the header is not sent and you access it anyway, PHP will emit an E_NOTICE. If you're debugging your code you should turn on all error message and make sure there are no E_NOTICE's or worse.
Maybe a stupid remark, but $_SERVER["HTTP_REFERER"] only works if you enter the page using a hyperlink.
e.g.
/goto.html
go to refer
/refer.php
<?php
print "You entered using a link on ".$_SERVER["HTTP_REFERER"];
?>
HTTP_REFERER doesn't work if you enter the link location directly in your browser.
getenv() is used if it's being run as a CGI script. With a SAPI you use $_SERVER["HTTP_REFERER"].
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The above code works! However, many of my students find it hard, at first, to grasp that $_SERVER['HTTP_REFERER'] requires arriving from a link.
I give them the below (tested) code (or "web page") to demonstrate. The above code is at the bottom.
show-referer.php
<?php
if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
$referer = $_SERVER['HTTP_REFERER'];
} else {
$referer = 'No Link - No Referer - Direct URL Entry';
}
echo $referer;
?>
<p>See the referer in action
from this page!
</p>
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The show-referer.php page links to itself when you click the link, which should cause the browser to generate an HTTP_REFERER.
$ref = $_SERVER['HTTP_REFERER'];
Relevant manual page: http://php.net/manual/en/reserved.variables.server.php
If you compute all these answers, you end up with something looking like :
<?php
if isset($_SERVER['HTTP_REFERER']) {
$ref = $_SERVER['HTTP_REFERER'];
}
else {
$ref = "Direct Entry";
}
?>
Again, read http://php.net/manual/en/reserved.variables.server.php:
With HTTP_REFERER there is a comment:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.