I have a simple signup form that needs to track number of hits from one specific external referer. This is a simple task with PHP's:
$_SERVER['HTTP_REFERER']
however, it is blank. After doing some research i tried to use some javascript:
document.referrer
Still blank. :(
I really dont need anything elaborate, but am trying to NOT use awstats.
Is there any other way to get the referer (hacks accepted)?? Or am I stuck with the stats???
-thanks
In short: If the user don't want it, you will never know, where he comes from. However, a more "reliable" solution may be to add the referrer to the link from the origin site to yours. Something like
Visit example.com
This requires, that external sites cannot just link to your site, but always needs to add their personal id. If this is not possible there is not much you can do.
At all its possible, that someone may change this id too.
The referer is possibly sent in the HTTP request's header.
It is possible that the browser will not even send it, or some kind of proxy, firewall or security suite strips it out or even changes it. You cannot rely on it.
There is only one thing you can do: if it is empty, consider that you don't know the referer.
Related
I need to grab some information from a site, however i cannot send requests because of the protection.
I get The typical Checking-your-browser page shows up first and then i'm being redirected.
You can use [tamper-data]: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
it is firefox extension you can find here how to use, you can see what exactly happend and then try to bypass it.
http://jimbojw.com/wiki/index.php?title=Tamper_Data
Whatever you're doing may look like an attack against the site. If you want to have access to the site, then you may want to look at contacting the site owner to have them whitelist the IPs you're making the requests from.
Is there a way in which I can detect the URL that is calling in my php page, similar to say a GET or POST but would like to get the URL as I would like to restrict the page accessing it to a certain URL as this file is being called from another server.
Basically: www.MYURL.com calls the php file from say www.PHPURL.com if the URL is NOT www.MYURL.com then bounce them out etc.
Many Thanks
In response to the answers below I used the as mentioend and here is what I did:
$URL_REF = parse_url($_SERVER['HTTP_REFERER']);
$URL_REF_HOST = $URL_REF['host'];
Thanks #Philip Bevan,#Itai Sagi and #EvilP
well, you could use $_SERVER['HTTP_REFERER'] - but it can be cloaked/removed.
EDIT: as someone asked, the HTTP_REFERER is a header which is sent by the client, most browsers default behavior is to send it, but if you'd like, you can disable it or even send a different referer header so people will think you come from some place else.
the bottom line: if it isn't THAT critical for you, you can use it, but don't EVER, EVER give people extra privileges based on their referer alone.
$_SERVER["HTTP_REFERER"]
is what you are looking for.
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
My adsense ad have a dedicated land page.
I want to show the content only to those who came through that ad.
The page is coded with PHP so I'm using $_SERVER['HTTP_REFERER'].
Two questions here:
Is there a better alternative to $_SERVER['HTTP_REFERER'] ?
To what strings/domains should I compare the referrer's domain (I'll handle extracting it)? I mean, I'm guessing that google has more than one domain they're using for the ads, or not? There's doubleclick.com.... any other domain? How can I check it, besides try/fail?
$_SERVER['HTTP_REFERER'] is the canonical way to determine where a click came from generally. There are more reliable (and complicated) methods for clicks within a site you fully control, but that's not much help for clicks from Google. Yes, it can be spoofed, and yes, it can be null, but as long as you're not targeting nuclear weapons based on that data, and you can handle null values gracefully, it should be good enough.
As for domains, you have to consider the international google domains, as well as all the google*.com domains.
I suggest adding a parameter on the link you give to Google. i.e. instead of yoursite.com/landing, do yoursite.com/landing?campaign=12.
If you are concerned that curious users will play with this parameter, the fix is simple-- redirect via a server 301 redirect when they hit that URL.
That is, if I request yoursite.com/landing?campaign=12, your server--before serving a page-- should log my visit to campaign 12 and redirect me to the plain url yoursite.com/landing. This has the added advantage that reloads won't increment your campaign hit count.
Yes, users could still mess with the original link if they are clever or curious enough to look at it before they click on it, but I think this is going to be far more effective than sniffing the referer.
Rather than trying to work out on your own how to measure your page views, you can consider using an existing system for that, like Google Analytics
So, I can use getenv('HTTP_REFERER') to get an URL which the member has visited previously, but it works only if it's the same website. I want this:
for example. the member firstly visits google.com then goes to my website. I want to show him, that previously he visited a google.com website. How can I do it if it's possible?
$_SERVER['HTTP_REFERER'] works fine for either case, as long as they followed a link from google.com to get to your site. Example: http://mrozekma.com/referer.php
You can only use the HTTP_REFERER header, and capture it the moment the visitor comes to your site. It might not be set, it might be false. There is no other way (and rightly so, I value my privacy). If you need to 'remember' the data store it in a session.
The simple answer is this is not possible. You can get the direct referrer if you're lucky, but nothing else (i.e. not the referrer of the referrer for example). Being able to retrieve the full history of a browser tab via JavaScript or post-back would be a major security issue.
Grabbing a browser's history is considered a breach of privacy, so any method that might exist to grab it would be considered a security bug in the browser.
Note that even the HTTP_REFERER header is considered to be a privacy issue by many people, so it's either disabled or filtered quite often (http://en.wikipedia.org/wiki/HTTP_referrer#Referrer_hiding).