I can't seem to work out why the below sends ALL traffic to the page-not-found page, even if referred by Paypal. Any ideas?
$refererUrl = $_SERVER['HTTP_REFERER'];
$Exploded = explode("/",$refererUrl);
$urlToCheck = $Exploded[3];
$findURL = strpos($urlToCheck,'paypal.com');
if($findURL === false){
header('location:/page-not-found');
} else {
/* Do something if page referred to by Paypal */
}
You are checking if 'paypal.com' is present in $Exploded[3]. Why do you expect that part of the referer url to be the hostname? Array indexes start at 0, so counting from left to right would give you the following, indicating that 2 would be the correct index.
$Exploded = explode('http://www.google.com/?q=foobar', '/');
// $Exploded now contains:
0: http:
1:
2: www.google.com
3: ?q=foobar
However, it would be more safe to use some utility that will parse arbitrary URLs and read the hostname from the interpreted url. You could do something like this (untested):
$referer = parse_url($_SERVER['HTTP_REFERER']);
if($referer['host'] != 'paypal.com')
header('location:/page-not-found');
else
/* Do something if page referred to by Paypal */
parse_url doc: http://php.net/manual/en/function.parse-url.php
Are you sure that HTTP_REFERER is set? If you have a look at the documentation it says
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Is it correct?
$urlToCheck = $Exploded[3];
If your reffer looks like http://www.example.com/....
the by exploding by "/" you will never got domain in 3rd index. It should be 2.
Try using
$urlToCheck = $Exploded[2];
Related
I'm attempting to use strpos to see if a HTTP_REFERER contains a certain URL ($referral), but for some reason the following code isn't working. However, if I replace the variable $referral with a string of the same contents, it seems to work. Can anyone tell me why, or what I'm over looking?
//$_SERVER['HTTP_REFERER'] = http://www.example.com/something/somefile.php
$referral = 'http://www.example.com/';
$server = $_SERVER['HTTP_REFERER'];
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
//outputs 'false'
Perhaps $server is not http://www.example.com/something/somefile.php.
When using:
$referral = 'http://www.example.com/';
$server = 'http://www.example.com/something/somefile.php';
if(strpos($server,$referral) !== false)
{
echo 'true';
}
else
{
echo 'false';
}
Output is true
How, and if the $_SERVER['HTTP_REFERER'] is set depends on the user agent. This value needn't be set, and even if it is, it's not reliable. Taken from the PHP documentation:
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
That's, I think, what you're overlooking here.
If you are accessing domain without any path eg: http://www.example.com, then your script would return false since there is no backslash at the end. Also you may not be opening the site with www or having and ssl (https)
Could you please post var_dump($server) on the page it doesn't work?
How do I create a PHP script that will redirect to a custom URL when link added in the URL. For instance, when a user visits this:
http://mydomain.com/link.php?=http://www.google.com
It should redirect them instantly to google.
Ideally, is it possible to ensure that the click itself came locally?
I am aware that this is most likely a very basic PHP code but note that my knowledge of it is very limited which is restricting me from writing it.
You can use the HTTP_REFERER of $_SERVER variable to check whether it is from the local domain.
Reference: http://php.net/manual/en/reserved.variables.server.php
For redirection, try using the below
http://mydomain.com/link.php?r=http://www.google.com
header("Location:".$_GET['r']);
Reference: http://in3.php.net/manual/en/function.header.php
I hope the following works for you, you can hard code the $domain variable as mydomain.com
$url = "http://www.php.net/index.html";
$domain = str_ireplace('www.', '', parse_url($url, PHP_URL_HOST));
$refDomain = str_ireplace('www.', '', parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST));
if(strcmp($domain, $refDomain) == 0)
{
//your code goes here
header("Location:".$_GET['r']);
}
http://mydomain.com/link.php?url=http://www.google.com
<?php
header("Location: {$_GET['url']}");
?>
This?
Ok, I would like to add a complete answer here.
You could use header to send a redirect header like MrSil said,
header("Location: $url"); // will redirect to $url!
If you want to prevent other people from using your redirect script, you can do something like:
$ref = $_SERVER['HTTP_REFERER'];
$host = parse_url($ref, PHP_URL_HOST);
if($host !== "mydomain.com"){
// out side request
}
But then, HTTP_REFERER can be easily spoofed. So, what would be a better check?
CSRF Protection. It might look like overkill, and it is also not the perfect way to do this stuff, but it helps.
Also, I don't think a perfect solution exists.
Read this for further info about CSRF.
Let say we've the following
Objective : User will post certain exact URL $refere to lock viewing text content and only be allowed for view if the viwer is coming from the same exact URL $refere.
$refere = "http://www.site_site.com"; // User will post it
$r = $_SERVER['HTTP_REFERER']; // To get real referral
and i want to do the following
<?PHP
if(stripos($r, $refere) == false){
echo "Wrong";
} else { ?>
echo "Go";
}
?>
It always gives me $r = $_SERVER['HTTP_REFERER']; blank ! so does it deprecated on any PHP version 4 or 5 whatever !
Also
what is the user posted $refere like https:// or missed www. or only posted site_site.com while the $r = $_SERVER['HTTP_REFERER']; showing www.site_site.com
so can anyone help me to adjust this code to be working fine no matter the user posted the $refere link fully or only site_site.com.
The $_SERVER['REFERER'] variable will only be set when you click a link to your page from another page and if the browser (or an eventual proxy or firewall you're on) isn't removing the referer header.
To your second question: do some string comparisons. The functions strpos() and substr() will be of great help.
How can i check if a given url is within a certain predetermined domain, say user register for api requests from:
http://domain.com
Then he makes a request from:
http://domain.com/script.ext?var=foo //this should validate true
http://example.com/script.ext?var=foo //this should validate false
http://www.domain.com/script.ext?var=foo //this should validate true also
Thanks in advance
Use parse_url():
if ( 'domain.com' == parse_url( $url, PHP_URL_HOST ) )
{
// do something awesome
}
I'm not sure if I understand your problem correctly, but if you want to see where a request is originating from you can use the "http referer" field, that is available within the http header. (http://en.wikipedia.org/wiki/HTTP_referer)
I'm not very good at php, but I think you can use something like $_SERVER['HTTP_REFERER'] to get hold of the value. The value is set automatically, so you just need to read it.
Lets say you call a page "www.domain.com/page.php" by clicking a link on the page "www.domain.com/referer.php", then the request will have the referer field "http://www.domain.com/referer.php" when you read $_SERVER['HTTP_REFERER'] within "www.domain.com/page.php".
If you request the "www.domain.com/page.php" by directly typing it into a browser, you get referer = null and if you click a link on www.anotherdomain.com that goes to "www.domain.com/page.php" you will get referer = http://www.anotherdomain.com.
Then you just need to compare the domain part of this value with the domain/domains that you allow.
Maybe you can check the parse_url function.
I need to be able to detect with PHP if a link is from a particular domain. I can not just check if domain is present in the link because it can be faked by appending domain.
Thanks.
Just use parse_url() as konforce mentioned. For example:
$url = "http://www.google.com/";
$parts = parse_url ($url);
print $parts["host"]; // will print www.google.com
// Or, for PHP 5.1 and above
$host = parse_url ($url, PHP_URL_HOST); // returns www.google.com
Now, the good thing about this is that appending the domain to the end of an url like this:
http://www.google.com/?www.foo.com
Wont work as the host element will still say that the link points to www.google.com and not www.foo.com.
Hope this helps.
I believe you'd want check the referrer and make sure you check with double forward slashes, since that's part of the protocol (HTTP/HTTPS) and can't be faked.
Check this link for extra reference: Determining Referer in PHP
I would check against something like...
//www.mydomain.com
//mydomain.com