How do I create a PHP script that will redirect to a custom URL when link added in the URL. For instance, when a user visits this:
http://mydomain.com/link.php?=http://www.google.com
It should redirect them instantly to google.
Ideally, is it possible to ensure that the click itself came locally?
I am aware that this is most likely a very basic PHP code but note that my knowledge of it is very limited which is restricting me from writing it.
You can use the HTTP_REFERER of $_SERVER variable to check whether it is from the local domain.
Reference: http://php.net/manual/en/reserved.variables.server.php
For redirection, try using the below
http://mydomain.com/link.php?r=http://www.google.com
header("Location:".$_GET['r']);
Reference: http://in3.php.net/manual/en/function.header.php
I hope the following works for you, you can hard code the $domain variable as mydomain.com
$url = "http://www.php.net/index.html";
$domain = str_ireplace('www.', '', parse_url($url, PHP_URL_HOST));
$refDomain = str_ireplace('www.', '', parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST));
if(strcmp($domain, $refDomain) == 0)
{
//your code goes here
header("Location:".$_GET['r']);
}
http://mydomain.com/link.php?url=http://www.google.com
<?php
header("Location: {$_GET['url']}");
?>
This?
Ok, I would like to add a complete answer here.
You could use header to send a redirect header like MrSil said,
header("Location: $url"); // will redirect to $url!
If you want to prevent other people from using your redirect script, you can do something like:
$ref = $_SERVER['HTTP_REFERER'];
$host = parse_url($ref, PHP_URL_HOST);
if($host !== "mydomain.com"){
// out side request
}
But then, HTTP_REFERER can be easily spoofed. So, what would be a better check?
CSRF Protection. It might look like overkill, and it is also not the perfect way to do this stuff, but it helps.
Also, I don't think a perfect solution exists.
Read this for further info about CSRF.
Related
a website has used a "301 permanent redirect" to my site is there a way i can set code that detects this and displays a page when my website is accessed through this?
Does anyone have any idea about this?
You can get only a referer. I think you will not be able to get the http status code on server which the client gets during last request.
So my answer is NO, you cannot get the 301 status code on your server.
But you can do a little of needed magic with referer variable.
e.g. in PHP you can read this:
$_SERVER['HTTP_REFERER'];
Not much you can do. If you were doing the 301, you could set the referrer to the querystring. But since you're not, you can only grab what the request has given you.
You can try using PHP's $_SERVER['HTTP_REFERER'] to track the source URL from where your visitor comes from. I think it's a bit dodgy though and might not yield the same result in all browsers. Even PHP's documentation says 'it cannot really be trusted'.
Why do you have to use .htaccess for the redirect? You could do something like this:
Site A's index.php:
header("Location: http://siteb.com/?ref=".urlencode('http://sitea.com');
Site B's index.php:
if(isset($_GET['ref']))
{
if($_GET['ref']=='http://sitea.com')
{
// Do something
}
}
Edit:
If you can't edit Site A's code or server settings, try using:
if($_SERVER['HTTP_REFERER']=='http://sitea.com')
{
// Do something
}
Is there a simple script that would only allow visitors if they originate from a website of my choice?
Checking the referrer is the most reliable way to accomplish this, but you should be aware that not all user agents (aka browsers) send a complete or correct referrer.
Something like this:
$target_site = 'http://www.google.com';
if (isset($_SERVER['HTTP_REFERER']) && preg_match("/$target_site/",$_SERVER['HTTP_REFERER'])) {
// do something with people from google.com
} else {
// do something else with everyone else
}
Read more about it: http://www.electrictoolbox.com/php-http-referer-variable/
PHP manual on $_SERVER superglobal: http://php.net/manual/en/reserved.variables.server.php
You can use the $_SERVER['http_referer'] but that can be easily faked.
If you get their referrer information you could check it against a list of accepted website origins and redirect them back to the site they came from if you don't want them.
$_SERVER["HTTP_REFERER"]
Hi in a simple page i use php and javascript redirect to return to referrer page.
header("Location: $refererScript");
onclick="window.location.href='<?=$refererScript?>';"
Which is the best way to protect those scripts from generate errors:
Ex. should i use urlencode for $refererScript (or at least for query string ) and if so will this acceptable from javascript or must use escape (or something else)
For $refererScript i use the code above
$ref=$_SERVER["HTTP_REFERER"];
$refererParts = parse_url($_SERVER['HTTP_REFERER']);
$refererQuery=$refererParts["query"];
$refererFolders=explode("/",$refererParts["path"]);
$refererScript=$refererFolders[sizeof($refererFolders)-1];
if($refererQuery!="")
{ $refererScript.="?".$refererQuery; }
Thanks
I would suggest you to use php header approach because if javascript is disabled, then there will be no redirect and you should url encode it eg:
$refererScript = urlencode($refererScript);
header("Location: $refererScript");
In the $_SERVER["HTTP_REFERER"]; should be already valid URL. If not, someone changed it manually and will get redirected to the wrong page.
I don't see any security risks here. Your code is fine.
So I am trying to get the page where a visitor came from. I inserted this code into a php file and I am trying to see the page's URL but it is not working, any suggestions?
<?php
$ref = getenv("HTTP_REFERER");
echo $ref;
?>
(added this after some answers)
I have also tried
print $_SERVER["HTTP_REFERER"];
and that doesn't work either
it worked after i updated the website many times, not sure why was there a problem in the first place, thanks anyway :)
Have you tried accessing through the $_SERVER superglobal?
print $_SERVER["HTTP_REFERER"];
$_SERVER['HTTP_REFERER'] is the best way to access this information.
Based on your comments on other responses:
Are you actually coming from somewhere? If you refresh your browser this value will likely not be sent. So make sure your browser is sending the header. If you put this script on a public url, I'll be happy to check it out and verify.
You should really turn on all errors. If the header is not sent and you access it anyway, PHP will emit an E_NOTICE. If you're debugging your code you should turn on all error message and make sure there are no E_NOTICE's or worse.
Maybe a stupid remark, but $_SERVER["HTTP_REFERER"] only works if you enter the page using a hyperlink.
e.g.
/goto.html
go to refer
/refer.php
<?php
print "You entered using a link on ".$_SERVER["HTTP_REFERER"];
?>
HTTP_REFERER doesn't work if you enter the link location directly in your browser.
getenv() is used if it's being run as a CGI script. With a SAPI you use $_SERVER["HTTP_REFERER"].
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The above code works! However, many of my students find it hard, at first, to grasp that $_SERVER['HTTP_REFERER'] requires arriving from a link.
I give them the below (tested) code (or "web page") to demonstrate. The above code is at the bottom.
show-referer.php
<?php
if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
$referer = $_SERVER['HTTP_REFERER'];
} else {
$referer = 'No Link - No Referer - Direct URL Entry';
}
echo $referer;
?>
<p>See the referer in action
from this page!
</p>
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The show-referer.php page links to itself when you click the link, which should cause the browser to generate an HTTP_REFERER.
$ref = $_SERVER['HTTP_REFERER'];
Relevant manual page: http://php.net/manual/en/reserved.variables.server.php
If you compute all these answers, you end up with something looking like :
<?php
if isset($_SERVER['HTTP_REFERER']) {
$ref = $_SERVER['HTTP_REFERER'];
}
else {
$ref = "Direct Entry";
}
?>
Again, read http://php.net/manual/en/reserved.variables.server.php:
With HTTP_REFERER there is a comment:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
I was wondering if it is possible to execute a script depending on the referrer site. for example if a user accesses my site from Facebook then i want the script to be activated, but if the user accessed the site through google search then the script will not be ran. Is this possible?
You should be able to test $_SERVER['HTTP_REFERER'] to see if the user came from facebook and behave differently.
Do you mean a server-side or client-side script?
From the client side you can access the referrer through document.referrer (yes, with a doubled ‘r’, even though the corresponding HTTP header is mis-spelled). eg.:
if (document.referrer.toLowerCase().indexOf('//www.example.com')) {
document.getElementById('message').innerHTML= 'Hello, visitor from example.com';
}
It's possible. Just bear in mind that the referer can be spoofed, so you should never do security relevant things based on its value.
I would do something like this:
if (array_key_exists('HTTP_REFERER', $_SERVER) === true)
{
// this will give you something like google.com or facebook.com
$domain = str_ireplace('www.', '', parse_url($_SERVER['HTTP_REFERER'], 'PHP_URL_HOST'));
// check if there is any referer script you want to execute
if (is_file('path/to/scripts/' . $domain . '.php') === true)
{
// include the path/to/scripts/google.com.php for instance
include('path/to/scripts/' . $domain . '.php');
}
}