So I am trying to get the page where a visitor came from. I inserted this code into a php file and I am trying to see the page's URL but it is not working, any suggestions?
<?php
$ref = getenv("HTTP_REFERER");
echo $ref;
?>
(added this after some answers)
I have also tried
print $_SERVER["HTTP_REFERER"];
and that doesn't work either
it worked after i updated the website many times, not sure why was there a problem in the first place, thanks anyway :)
Have you tried accessing through the $_SERVER superglobal?
print $_SERVER["HTTP_REFERER"];
$_SERVER['HTTP_REFERER'] is the best way to access this information.
Based on your comments on other responses:
Are you actually coming from somewhere? If you refresh your browser this value will likely not be sent. So make sure your browser is sending the header. If you put this script on a public url, I'll be happy to check it out and verify.
You should really turn on all errors. If the header is not sent and you access it anyway, PHP will emit an E_NOTICE. If you're debugging your code you should turn on all error message and make sure there are no E_NOTICE's or worse.
Maybe a stupid remark, but $_SERVER["HTTP_REFERER"] only works if you enter the page using a hyperlink.
e.g.
/goto.html
go to refer
/refer.php
<?php
print "You entered using a link on ".$_SERVER["HTTP_REFERER"];
?>
HTTP_REFERER doesn't work if you enter the link location directly in your browser.
getenv() is used if it's being run as a CGI script. With a SAPI you use $_SERVER["HTTP_REFERER"].
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The above code works! However, many of my students find it hard, at first, to grasp that $_SERVER['HTTP_REFERER'] requires arriving from a link.
I give them the below (tested) code (or "web page") to demonstrate. The above code is at the bottom.
show-referer.php
<?php
if ( isset( $_SERVER['HTTP_REFERER'] ) ) {
$referer = $_SERVER['HTTP_REFERER'];
} else {
$referer = 'No Link - No Referer - Direct URL Entry';
}
echo $referer;
?>
<p>See the referer in action
from this page!
</p>
<?php
echo $_SERVER['HTTP_REFERER'];
?>
The show-referer.php page links to itself when you click the link, which should cause the browser to generate an HTTP_REFERER.
$ref = $_SERVER['HTTP_REFERER'];
Relevant manual page: http://php.net/manual/en/reserved.variables.server.php
If you compute all these answers, you end up with something looking like :
<?php
if isset($_SERVER['HTTP_REFERER']) {
$ref = $_SERVER['HTTP_REFERER'];
}
else {
$ref = "Direct Entry";
}
?>
Again, read http://php.net/manual/en/reserved.variables.server.php:
With HTTP_REFERER there is a comment:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
Related
So,lets say Im the owner of awp.rs domain.
I made a simple redirect script so anyone who access domain awp.rs will be redirected to lets say: by.nies.host
Now, in by.nies.host I want to print awp.rs becouse Im redirected to that website by accesing awp.rs
<?php $url = parse_url($_SERVER['HTTP_REFERER']);
echo $url['host'];
?>
you can add something like this to see what else the $url array contains. Something might be useful...
<pre><?php print_r($url);?></pre>
Note that this referrer value is provided by the visitors browser and is not guaranteed to be accurate or to be immune to spoofing
$_SERVER['HTTP_REFERER'];
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents
will set this, and some provide the ability to modify HTTP_REFERER as
a feature. In short, it cannot really be trusted.
http://php.net/manual/en/reserved.variables.server.php
alternative approach available as the owner of the redirecting and redirected to site:
in your script on: awp.rs
you could 'tag' the url you send the user to:
<?php
header("Location: http://by.nies.host?from=awp");
exit();
on by.nies.host you just check for the from in $_GET
echo "from $_GET['from']";
You can try with $_SERVER['HTTP_REFERER'] but
This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
If you redirect from your web site and want to refer to other website, the most easy way to do it is to set $_GET var. for example :
by.nies?refer=YourSite
This is the easiest way
I have two PHP files:
1.php
<?php
... header("location: 2.php?id=1");
?>
2.php
<?php
... echo $_GET['id'];
?>
URL from 1.php to 2.php is: http://localhost/2.php?id=1
My question. Is it possible to validate where get method coming from and accept only if from coming 1.php. But if someone in address bar changing id values then ignore? Something with $_SERVER['HTTP_REFERER'] but i'm not sure
Is it possible to validate where get method coming from and accept only if from coming 1.php.
Not reliably.
But if someone in address bar changing id values then ignore?
Find something else to test against. (e.g. is this a user who is logged in and authorised to view the page with that id?).
Simple answer is no. $_SERVER['HTTP_REFERER'] is often disabled by browsers and is easily spoofed.
You can do someting close to your requirement:
<?php
//1.php
$id = 1;
$key = generateKeyBasedOnId($id);
header("location: 2.php?id=$id&key=$key");
?>
You can write generateKeyBasedOnId() function as you wanted to,
but you are the only one who should known the algorithm.
(For example return md5('my very secret'.$id.' string');
<?php
//2.php
if($_GET['key'] !== generatekeyBasedOnId($_GET['id'])) {
//error
}
?>
Of course, if someone copy paste the url 2.php?id=..&key=..., it will still work. You can hide key into cookies, but it is still easilly spoofable.
You can also generate random key, save it into database, read it in 2.php and if it exists, immediately delete it. So the key can be used only once. But if someone catch your header redirect, he still could (theoreticaly) take it and use it in different browser in different country ...
Is it possible to disallow direct access to a PHP file and allow the access only if it's redirected from other PHP file?
For example, access to loading.php should be only allowed if it's redirected from example.php page. How how can I do that?
I hope you understand what I mean. If not, please ask me, and I will try to explain better.
example.php
session_start();
$_SESSION['loading']='yes';
loading.php
session_start();
if($_SESSION['loading']=='yes'){
/all good
}else{
//bad, redirect back or whatever
}
$_SESSION['loading']=''; // clear session var
You can check referer, but it not secure:
loading.php
<?php
if($_SERVER['HTTP_REFERER']!=='http://yoursite/example.php')
die('Denied');
--
or you can set visited flag in session
example.php
<?php
$_SESSION['isVisitedExample'] = true;
loading.php
<?php
if(!isset($_SESSION['isVisitedExample']))
die('Denied');
--
or in cookie (not secure)
example.php
<?php
setcookie('isVisitedExample', 1);
loading.php
<?php
if(!isset($_COOKIE['isVisitedExample']))
die('Denied');
--
or mix this methods
Test for the variable $_SERVER['HTTP_REFERER']. (yes, the incorrect spelling is what must be used.) That variable contains the URL of the site that a user came from. The REFERER header is blank or '-' if the page is accessed directly.
The code for this would look something like the following:
if (empty($_SERVER['HTTP_REFERER']) or $_SERVER['HTTP_REFERER'] == '-') {
exit; // do nothing if hit directly.
}
// The real page logic goes here.
If you want to only allow the loading page from a specific URL, then you may test for that URL instead of testing for empty().
Please be aware that the REFERER header is sent by the browser and easily spoofed. That said, checking the referer header is useful for blocking other sites from directly loading images from your site.
Another option would be to use sessions and session variables to check that someone hit the appropriate page before the loader page.
Let say we've the following
Objective : User will post certain exact URL $refere to lock viewing text content and only be allowed for view if the viwer is coming from the same exact URL $refere.
$refere = "http://www.site_site.com"; // User will post it
$r = $_SERVER['HTTP_REFERER']; // To get real referral
and i want to do the following
<?PHP
if(stripos($r, $refere) == false){
echo "Wrong";
} else { ?>
echo "Go";
}
?>
It always gives me $r = $_SERVER['HTTP_REFERER']; blank ! so does it deprecated on any PHP version 4 or 5 whatever !
Also
what is the user posted $refere like https:// or missed www. or only posted site_site.com while the $r = $_SERVER['HTTP_REFERER']; showing www.site_site.com
so can anyone help me to adjust this code to be working fine no matter the user posted the $refere link fully or only site_site.com.
The $_SERVER['REFERER'] variable will only be set when you click a link to your page from another page and if the browser (or an eventual proxy or firewall you're on) isn't removing the referer header.
To your second question: do some string comparisons. The functions strpos() and substr() will be of great help.
I am a complete PHP newbie, and I'm not even sure if I should be using PHP for what I'm doing, but here goes. Basically all I want to do is based on where a user comes from, change a link on the page to link to another location. I feel like this is very basic, but I'm not sure exactly how to phrase my search to get the best results. How would I do this?
You probably want something along the lines of
<?php if ($_SERVER['HTTP_REFERER'] === 'http://www.example.com') { ?>
1
<?php } else { ?>
2
<?php } ?>
$_SERVER['HTTP_REFERER'];
This will give you the url of client requesting the page. As said in this post: "Note that it is provided by the client so it may be empty or faked, so don't trust it security-wise."
source of REQUEST
Not sure exactly how you would best google that, but hopefully this will get you started:
To figure out where a user came from, you need $_SERVER['HTTP_REFERER'].
Here's a tutorial based on doing a header redirect on that: http://bytes.com/topic/php/answers/7406-how-redirect-based-_server-http_referer
But you'll want to substitute echoing out a link instead of using header().
So quick snippet it would be something like this:
if (!empty($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'stackoverflow.com')) {
echo "<a href='http://thatplaceiwanttogoto.com'>Here</a>";
} else {
echo "<a href='http://thatotherplace.com'>There</a>";
}