Is there a way in which I can detect the URL that is calling in my php page, similar to say a GET or POST but would like to get the URL as I would like to restrict the page accessing it to a certain URL as this file is being called from another server.
Basically: www.MYURL.com calls the php file from say www.PHPURL.com if the URL is NOT www.MYURL.com then bounce them out etc.
Many Thanks
In response to the answers below I used the as mentioend and here is what I did:
$URL_REF = parse_url($_SERVER['HTTP_REFERER']);
$URL_REF_HOST = $URL_REF['host'];
Thanks #Philip Bevan,#Itai Sagi and #EvilP
well, you could use $_SERVER['HTTP_REFERER'] - but it can be cloaked/removed.
EDIT: as someone asked, the HTTP_REFERER is a header which is sent by the client, most browsers default behavior is to send it, but if you'd like, you can disable it or even send a different referer header so people will think you come from some place else.
the bottom line: if it isn't THAT critical for you, you can use it, but don't EVER, EVER give people extra privileges based on their referer alone.
$_SERVER["HTTP_REFERER"]
is what you are looking for.
Related
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
I have a simple signup form that needs to track number of hits from one specific external referer. This is a simple task with PHP's:
$_SERVER['HTTP_REFERER']
however, it is blank. After doing some research i tried to use some javascript:
document.referrer
Still blank. :(
I really dont need anything elaborate, but am trying to NOT use awstats.
Is there any other way to get the referer (hacks accepted)?? Or am I stuck with the stats???
-thanks
In short: If the user don't want it, you will never know, where he comes from. However, a more "reliable" solution may be to add the referrer to the link from the origin site to yours. Something like
Visit example.com
This requires, that external sites cannot just link to your site, but always needs to add their personal id. If this is not possible there is not much you can do.
At all its possible, that someone may change this id too.
The referer is possibly sent in the HTTP request's header.
It is possible that the browser will not even send it, or some kind of proxy, firewall or security suite strips it out or even changes it. You cannot rely on it.
There is only one thing you can do: if it is empty, consider that you don't know the referer.
I have a file that is PHP based but outputs and encodes it self as JSON.
Also it has a .json file type.
But people are currently accessing it and I don't want them too if they are not on my site.
Is it possible with PHP to achieve this?
You probably want to check the inbound Referer header, and if it doesn't match your site, then drop the traffic. There are ways to get around this, of course, but it will block casual use.
No, this isn't possible, unless you force people to register with your site and enter later on a grant-access token (a string, which can't be guessed).
An incomplete solution would be to check the referrer. Unfortunately, not all browsers forward the referrer. Access the referrer like this:
$_referer = $_SERVER["HTTP_REFERER"];
and is a complete URL like this:
http://www.google.de/search?hl=en&q=Macintosh
How can I hide $_SERVER['HTTP_REFERER'] when a user browses to another site via a link from my site?
You can't, you have no control over the headers that are sent to another site. Headers are sent from the browser, to the site being navigated. This means you cannot manipulate them in any way (short of a MITM attack).
You could redirect the user to the site via an intermediary proxy, but that proxy will become the new referrer. e.g.
Your Link -> Proxy -> End result
Not only should this generally not be done, but it is not possible, at least in the way you are describing. It is up to the client to decide what to send in the request headers to a different server, not you.
I should also point out that this has nothing to do with PHP. PHP makes this header variable accessible to you via $_SERVER['HTTP_REFERRER'], but the problem you are trying to solve is avoiding the client from sending the referrer URL to the next server.
A few options:
If your site utilizes HTTPS, then it won't be sent.
If you build a redirector script on your site and use the HTTP Refresh header, the browser will typically not send the referrer, and if it did, you would only be sending the URL of your redirector. For example:
http://www.yoursite.com/redir.php?url=http%3A%2F%2Fwww.google.com
<?php
if (isset($_GET['url'])) {
header("Refresh: 0; " . $_GET['url']);
}
?>
Now, you must be careful with this little script. Anyone could then use your site to make a redirect look like it was coming from you. Also, using this method, anyone can inject whatever headers they want to the client. This is just to give you an idea. Finally, using the refresh header for this goes against the grain of the standards and should not be done.
Finally, Google, Facebook, PayPal, etc. all have redirector scripts. They use some sort of encrypted hash on the URL to determine if they generated the redirect or not. If you don't specify that hash and just give the URL, then the user will be prompted before redirecting. Not friendly.
Look, the bottom line is, there isn't really a reason to do what you are doing. If you are trying to hide something in your URL, then you have bigger problems. Security through obscurity is bad, mmkay?
If you're working in a controlled (intranet say) environment you might benefit from fixing browser configs see eg. http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ but this is far from ideal.
I'm using something like this
mysite.com/out.php?url=outurl.com
I'm just using a simple redirect, but I'm just wondering how I can hide the referrer.
Thanks!
edit: I ended up doing a double meta refresh
The referrer is attached by the user's browser, not by your server, it's up to them to include it or not
If by hide you mean to remove it from the address bar than you could use a POST request instead of GET or a custom HTTP header. As a third option you could use a GET request but encrypt the data. Also I suppose you are talking about some custom referrer and not the standard HTTP referrer which might be sent by the user agent.
If you're really serious about hiding the referrer from downsteam sites, you have options...
For example you could try the service
http://referer.us/
which offers rediction (i.e. all referrals appear to come from instead of you).
Depending on your goals, you could easily implement a similar service yourself, either at your own domain (e.g. "/generic-referer.html" if you don't want people seeing the deep-linked page from which a visitor is coming) or a new domain that you control.
Yes, you can hide your referrer :
Newer browsers now support this properly anyway, with a meta tag. You can add:
For that page which you want to hide referrer.
I think it will help :-)