i would like to use HTTP_REFERER to send my own referer.
Like this http://mywebsite.com/spoof.php?newurl=anotherwebsite.com
this is what i have but doesn't work
spoof.php
<?php
$referer = (www.website.com, $_SERVER['HTTP_REFERER']);
?>
You want to send people to another url with a spoofed referer?
thats not possible.
The referrer is controlled by the client (ie. their browser).
http://en.wikipedia.org/wiki/HTTP_referrer
They send it to the new URL when you redirect them.
You can make a request with that PHP file using the spoofed header with cURL, but you can not send the client there.
Best you can do is echo a link with rel="noreferrer" and hope the user's browser supports it (and this only nulls the referrer, it doesn't change it). Or alternatively send the Location header which will turn the referrer to your site.
You can't override the referrer header that the user's browser sends. If you want to control the referrer header like that, then your only option is to send the request yourself, by doing either:
Have your server act as a proxy for the request. Construct a new HTTP request server-side, set the referrer header to whatever you want, and return the result to the client. Note that you will have to rewrite any relative URL's in the target site's markup if you want the page to display and function correctly for the user.
Create your own browser (or perhaps browser-plugin) and get people to use that. Then you can set headers however you want.
Related
I've been trying to get the URL (including GET parameters) of a site that is displaying my image. This is because I want to extract one parameter of the URL.
A friend told me that she knew someone that could achieve this, but I don't know if he was doing it with an image. Also I don't think I can do it with a link because when going to external sites it will appear a warning page saying that you're being redirected outside, so if I put a link to my page and someone clicks, I will get the referrer URL of redirection warning page. I can't assure if my friend was telling the truth about this, but it's very likely that it was true.
All I could get with the image was the IP and other things of the HTTP header, but the referrer part is empty and I thought that the referrer contained the full URL I'm talking about.
This is what I have tried.
First the img tag in the other site in BBCode:
[img]http://______.com/get_image.php?i=myimage[/img]
And in my site this script in PHP, although any language that does the work would be good for me:
<?php
// Get name of image to be displayed (non-sanitized here for simplicity)
$filename = $_GET["i"];
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['HTTP_REFERER'])) {
$visitor_url = $_SERVER['HTTP_REFERER'];
} else {
$visitor_url = "none";
}
// And write the referrer to a file just to test if it works
$fp = fopen('referer.txt', 'w');
fwrite($fp, $visitor_url);
fclose($fp);
// Eventually display the image
header('Content-Type: image/png');
readfile($filename . '.png');
?>
So my questions are:
Is it possible to get full URL of a site that is displaying my image?
If not, is there any other method to get the full URL?
Thank you in advance.
Note: I don't have any permision in the other site where I'm posting the image, I'm just an user there. Please tell me if I'm missing something or I have to ask this in another way, I'm new to StackOverflow.
Try REMOTE_HOST instead of HTTP_REFERER:
// Here I want to get the site where image is being viewed
if (!empty($_SERVER['REMOTE_HOST'])) {
$visitor_url = $_SERVER['REMOTE_HOST'];
} else {
$visitor_url = "none";
}
The web server where you are serving the image will need to be configured properly. If using Apache, this is with HostNameLookups On.
See http://php.net/manual/en/reserved.variables.server.php
Normally browsers are sending full referer with all URL components including query parameters - $_GET params. If they don't then there is no other way to achieve that URL while passing throught an image content.
Sometimes sending referer may be blocked, for eg. in some batch URL processing using some crawler like program/script or on some proxies.
In PHP receiving referer is done by $_SERVER['HTTP_REFERER'] because it's normally just http header from request and it's the only $_SERVER array key with referer info.
You added the .htaccess tag so I think you're using the Apache web server. If you'd like to prevent the issue entirely, you can disable hotlinking entirely by going one layer lower. Instead of managing in PHP, you can configure the web server to not serve content to domains other than the one you are hosting.
Check out the guide for more details.
I fixed this problem by switching my site (where image is hosted) to HTTPS. The code in my question was doing its job correctly.
It looks that HTTP_REFERER was blank because of it coming from an HTTPS site and my site being HTTP it would always send it blank. I was aware that it could be a problem, but didn't make much sense for me because HTTP_REFERER was also blank when coming from another HTTP site (which I think it's not normal) so I thought the error was in another place.
Usually HTTP_REFERER is sent when it comes from and goes to:
from HTTP to HTTP
from HTTPS to HTTPS
from HTTP to HTTPS
But it's not sent when it comes from and goes to:
from HTTPS to HTTP
And in my case, I don't know why, it wasn't being sent from HTTP to HTTP which was confusing me.
when use GET Method for receive JSON data , we can acsses the result directly from web browser , for example i send a mydata value from ajax to a main.php file and it process and get answer show a result some thing like below :
<?php
if (isset($_GET["mydata"])) {
if ($_GET["mydata"]=="hello"){
echo "hello world";
}
}
?>
but when a user call it in browser directly like http:mysite.com/mydata.php?mydata=hello recive answer . i want dont allow users to get answer of http request directly , and just can show it from ajax result of main page is it possible ?
You're asking how to prevent an ajax-only request from being accessed directly by copy-pasting the URL into the web browser; that is, only allowing the URL to be accessible via ajax on the main web page.
Well, there are a few things you can try:
Check the Referrer for the URL of the main page with $_SERVER['HTTP_REFERER']
Set a header in Javascript using xhr.setRequestHeader() and then ensure it's value by checking for $_SERVER['HTTP_X_....'] in PHP
Like Jay Bhatt recommended, check for the X_REQUESTED_WITH header, but be aware this might not always be set (see: X-Requested-With header not set in jquery ajaxForm plugin)
However, in any of these situations you should be aware that anyone who knows what they are doing can easily set any HTTP header, variable, or even modify the referrer which is sent to the server. As such, there is no 100% guarantee that your resouce can be accessed only via AJAX on the main web page. There is no control built in the internet to verify where a request is coming from, so anyone can easily spoof or fake it.
Is it possible to include some message in a PHP header:
header("Location: http://somesite.com");
header("Message: hello");
then on site.com:
$message = some_function(); // "hello"
I am currently using a $_GET parameter in the URL, but looking for an alternative, maybe sending a $_POST?
I'm trying to not use $_GET, or use cookies (I know, those are the best ways..)
It sounds like you are wanting to send some extra data to the page you are redirecting to. No, this isn't possible outside of the query string. You should understand what is happening here.
When you send a 302 or 301 status code along with a Location: header, the browser sees this and then makes a separate request to the URL specified by the Location: header. The server isn't sending anything to that page. It's almost as if the user simply typed in that new URL in their browser.
I say almost because in some circumstances, there is a referrer set by the browser. This isn't guaranteed though.
What you can do is send some sort of token that contains more information. Perhaps your page saves off a message in a database or something, and then you pass the ID in the query string of the URL you're redirecting to.
Also, if you set session/cookie data and you're redirecting to something on the same domain, you can read that information on the page the user eventually lands on.
In addition to what Brad suggested, you can also send some info using # in the url without affecting the query string and then capture it with js.
header("Location: http://somesite.com#success");
in js:
if(window.location.href.indexOf('#success')>0) {
alert("operation successfully completed");
}
I'm trying to do a header redirect in PHP doing something like:
header("Location: http://www.domain.com/some/url");
exit;
This works fine when making a GET and POST request however it doesn't seem to work with PUT and DELETE requests.
I've tried doing:
header("Location: DELETE/PUT http://www.domain.com/some/url");
exit;
But that doesn't seem to work, also calling the url directly works fine. I can echo some text before and after the header call, so everything is working, seems to just ignore PUT and DELETE requests?
Similar question, possible same answer applies to you
The header function is used to send HTTP response headers back to the
user (i.e. you cannot use it to create request headers.
May I ask why are you doing this? Why simulate a POST request when you
can just right there and then act on the data someway? I'm assuming of
course script.php resides on your server.
To create a POST request, open a up a TCP connection to the host using
fsockopen(), then use fwrite() on the handler returned from
fsockopen() with the same values you used in the header functions in
the OP. Alternatively, you can use cURL.
PS: I see that it is also displayed under Linked tab :)
Using Location is not the proper way to set the HTTP Method header.
Try the following:
header("Request-Type: DELETE");
header("Location: http://www.domain.com/some/url");
exit;
However, I am not sure you can set request types with header() alone. I know you can with cURL.
What I'm trying to do is use PHP to redirect from web site A to web site B (both are different domains), but I want the referrer in the HTTP headers to be set to web site A (the page that performed the redirect). So, that is, web site B will see web site A as a referrer.
You can use something like <meta http-equiv="refresh" content="1;url=http://siteb.net"> on your site A.
I'm pretty certain that the sending the referrer is ultimately up to the web browser, not PHP.
You could probably send the address via $_GET though.
Edit: You won't be able to change the referrer (misread the post, derp).
I've checked using localhost and a dummy script. The browser does send the referer in the HTTP even at redirections.
To test this, I created a script called testRefererRedirect.php:
<?php
if($_GET['a']){
if($_SERVER['HTTPS'] && $_SERVER['HTTPS'] != 'off'){
echo $_SERVER['HTTP_REFERER'];
}else{
header('Location: https://localhost/testrefererredirect.php?a=1');
}
}else{
echo 'test';
}
To emulate cross domains, I used HTTP and HTTPS for my local server.
On first load, the page will show a link: I will click this link to allow the browser to send the referer in the headers. Next, because I load the page initially in HTTP the header function will be called. Finally, the HTTP referer header meant for the 2nd step showed up in the 3rd step.
Conclusion
You can safely use $_SERVER['HTTP_REFERER'] on website B to capture the refer information meant for website A if you do redirection on website A.