Ok, so I'm trying to do a simple action where if a user was already viewing our site, we'll display a certain message, otherwise, we want to show a message for first time visitors (or just those without our URL as their referrer)
Else statement only shows as blank regardless how I seem to spin this.
Ideas?
<?php
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
if (strpos($referer, "http://www.example.com/") === 0) {
echo "Match Okay";
} else {
echo "No Match";
}
}
?>
Your code seem ok.
Quoted from the php docs:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Maybe your browser belongs to the category "Not all user agents will set this". Try your code with another browser.
For a more reliable way do to that, consider using cookies! Simply check for a cookie value. If it is not present, it's a first time visit (then set the value). If it is present, then it's at least the second page loaded.
The advantage of cookies is that you can track user if they come back again (by setting a persistence time for the cookie)
You should use cookies
SOURCE: http://php.about.com/od/advancedphp/qt/php_cookie.htm
Related
I have the following code to determine the URL used to load a page, it works in all browsers except IE.
Is this a known issue?
if(isset($_SERVER['HTTP_REFERER']))
{
//correct domain:
$domain=parse_url($_SERVER['HTTP_REFERER']);
if( strpos($ar['host'], 'mydomain.com') === false )
{
}
else
{
echo $domain['host'];
}
}
Is there a different way to get the URL that the user is using? Essentially I need to know what URL the user has entered to determine what to display on the screen.
Is this a known issue?
Yes:
'HTTP_REFERER'
The address of the page (if any) which referred the
user agent to the current page. This is set by the user agent. Not all
user agents will set this, and some provide the ability to modify
HTTP_REFERER as a feature. In short, it cannot really be trusted.
Also the above differs from what you want:
Is there a different way to get the URL that the user is using? Essentially I need to know what URL the user has entered to determine
what to display on the screen.
REQUEST_URI is what you are looking for:
'REQUEST_URI'
The URI which was given in order to access this page;
Source: http://php.net/manual/en/reserved.variables.server.php
Also see: Get the full URL in PHP
I have a site with a normal admin and a super admin, both share some functions. A new function I am introducing is a admin serial activation. This is already implemented in normal admin and now I am trying to add same code to super-admin. If you are in normal admin or super admin you would click the serial to activate and move on to activate2.php to activate. All works well and good unless you change your mind about activating serial, in which case you would click 'back' or a 'cancel' button to return to previous screen. I currently check what the previous page was using php:
$ref = $_SERVER['HTTP_REFERER'];
The idea is to show a different return url on 'back' link and the 'cancel' button depending on if the previous page was 'super-admin-serials.php' or just 'admin-serials.php'. I tried to match 'super-admin-serials.php' in $_SERVER['HTTP_REFERER'] to deduce what the previous page was and allow the user to go back to his previous page. But the code I have put together does not work, so if anyone out there can help with this simple function it would be much appreciated. Here is the code I have so far on the independent 'activate2.php' page to cancel and return to previous:
$superpage=array('super-admin-serials.php');
$ref = $_SERVER['HTTP_REFERER'];
if (in_array($ref, $superpage)) {
echo "back (super admin)";
} else {
echo "back (normal admin)" ;
}
The HTTP referer may not just contain the name of the script it comes to, it usually includes a fully qualified URL such as http://example.com/foo/your-script.php.
Instead of observing the HTTP referer (which will be lost if they refresh the page), I suggest that you pass an argument from the first page to the second to determine where they came from, and send them back where you need.
Transparently the user will be accessing either of:
activate2.php?super=1
activate2.php
Then the following code will do what you want:
$isSuper = !empty($_GET['super']);
if ($isSuper) {
echo "back (super admin)";
} else {
echo "back (normal admin)" ;
}
I understand you have some kind of sign in feature and you cannot be logged in simultaneously with two different users (if that's not the case, just make sure you aren't running an insecure site that can be easily hacked). In that case you should already have that information on the server so it's both unnecessary and unreliable to gather it from client-side. So code would look like this:
if ($_SESSION['is_super']) {
echo 'back (super admin)';
} else {
echo 'back (normal admin)';
}
(Please note I've also removed double quotes, which served no other purpose than making code harder to write and read.)
In any case, you must be aware that HTTP_REFERER:
Will get lost if you add extra steps (e.g. show form errors to get them corrected)
May not be there at all (some proxies and security programs strip it)
Will often include extra stuff that make a simple string comparison fail, like GET parameters (and it's of course a full URL)
If you opt for it anyway you may want to have a look at parse_url() as starting point.
I am sending error values in the url.For example if i have a website named
www.example.com
and the url for login page is
www.example.com/login.php.
If the user enters wrong credentials url will be
www.example.com/login.php?invalid.
So everytime i refresh url remains
www.example.com/login.php?invalid.
How to remove invalid from url on refresh???
I think that by using the invalid GET variable you try to determine whether or not to display the error message to the user. This isn't really a good way to do so, due to the number of reasons, one of which made you ask this question.
You have a number of options instead, one of which would be using the session variables to store the error message. E.g., if the user login fails, you could store the message in your session:
if (badLogin()) {
$_SESSION['errorMessage'] = "Something's wrong";
}
and then on the login.php page you could try and see if it exists:
// ...your HTML...
if (!empty($_SESSION['errorMessage'])) {
echo $_SESSION['errorMessage']; // show it to the user
unset($_SESSION['errorMessage']); // so as not to display it every time
}
// ...your HTML continues...
This is not the perfect way either, but without knowing your application structure it's hard to suggest anything else.
At my work I often need to figure out where our traffic comes from. We buy google ads and that traffic gets identified by a query string in the url. (mywebsite.com/?x="google_ad_group_4").
On every page I include some sessions stuff that sets $_SESSION['x'] to $_GET['x'] if $_GET['x'] is there. If there is no $_GET['x'] I go through some other options to see where they came from and set that in $_SESSION['x']:
$refurl = parse_url($_SERVER['HTTP_REFERER']);
$query = $refurl['query'];
parse_str($query, $result);
if (isset($result['q'])&& strstr($_SERVER['HTTP_REFERER'],'google')) {
$_SESSION['x'] = 'G-'.str_replace('\\"',"X",$result['q']);
}elseif (isset($result['p'])&& strstr($_SERVER['HTTP_REFERER'],'yahoo')) {
$_SESSION['x'] = 'Y-'.$result['p'];
//took out bing, aol, ask etc in the name of brevity
}else{
if ($refurl['host']){
$_SESSION['x'] = $_SESSION['x'].'_ref-'.$refurl['host'];
}
}
This way I can append the search query that brought the user to the site and what search engine they used. I log the incoming $_SESSION['x']'s.
Many users are coming in with $_SESSION['x']'s of "_ref-mywebsite.com" which doesn't make sense, if they were coming from my own domain, they'd have already had a $_SESSION['x'] set on whatever page they'd been on. Is this because they have their browser's security turned up high or something?
Am I missing something obvious? Is there a smarter way to do this?
You can get the referrer like this
echo $_SERVER['HTTP_REFERER'];
But as mentioned in comment, it can easily be manipulated.
Unless the client (the browser) passes you the "HTTP_REFERER" in the heading, you won't get it. And that depends on the site they come from.
I don't know what your workflow is like, but one thing you can do is get it with JavaScript and pass it to your PHP script. Hope this helps.
I think that a possible scenario is:
A new visitor comes to the website with normal referrer;
He closes his browser(this clears his session cookie) with the website's tab opened;
Reopens the browser with the website restored in old tab;
Clicks on any link on the page and gets to another page with referrer from same domain and clean session.
I have a PHP page on a website that I'd like to be accessible only from another page on that website.
If a user clicks a link to the page, or types the page's address, and does not come from the site's domain, I'd like the page to redirect the user to the index.
Any ideas?
What you could do is use sessions.
make the index set a variable
$_SESSION['visitedIndex'] = TRUE;
and testing for it in the other pages:
if(!$_SESSION['visitedIndex']) {
header('location: ....');
}
make sure you do this before the first echo.
You could also create an internal service using a $hash = timestamp + internal secret key or your paricular rule.
First page has a link
http://www.samesite.com/page_2.php?param=hash
Second page decodes the hash and check the timestamp against a given interval. Otherwise it refuses the display.
As only you know the internal key is impossible to fake.
Check 'Referer' field?
It's easily hackable, tho. The more reliable way is to check if the used had no active session (if your site assigns them to visitors).
Use the referer fo this:
if ($_SERVER['HTTP_REFERER'] != "...") {
header("LOCATION: othersite");
}