I am creating a website and on one particular page, am wanting to send the user back to the previous page. I am fairly new to PHP/HTML and have been using some existing code for ideas and help.
The existing code uses the following method:
if (! empty($HTTP_REFERER))
{
header("Location: $HTTP_REFERER");
} else
{
header("Location: $CFG->wwwroot");
}
However, when I use this code the HTTP_referer is always treated as empty and the user redirected to the root page. Any obvious flaws in this code?
Don't rely on the HTTP Referrer being a valid or even non-empty field. People can choose to not have this set leaving any checks for that variable going to the empty side of the IF-ELSE clause.
You can guard against this by sending along a parameter in either the URL or POST parameters that would hold a value that you can use to redirect the user back to.
You need to use:
$_SERVER['HTTP_REFERER']
isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
If you wanted to send the person back to the previous page and have it work regardless of the referrer being set correctly, you can append a GET parameter to the URL (or POST).. you will need to encode the URL.. Something like
http://www.domain.com.au/script.php?return=http%3a%2f%2fwww.domain.com.au%2fthis-is-where-i-was%2f
You can use PHP's urlencode() function.
Also note that the referer header might be empty or missing anyway, so you shouldn't rely on it at all..
You should use
$_SERVER['HTTP_REFERER']
However look at the register_globals configuration in php.ini, it should be turned off due to security reasons. You can read more on PHP Manual site.
Related
I want to check redirect to another link from our webpage if user clicking on back from browser I must be alert for user such as 'Backword Forbidden ...'
I'm using this code and that not working for me:
$referer = Request::header('referer');
or how to check witch URL user backword to our site?
If you want to get the Referer URL, you can use either Request::header('referer') or native $_SERVER["HTTP_REFERER"]. But there are (at least) 2 problems with that:
It can be spoofed, empty etc.
It will only work if the person got to your page through a link. It won't work when pressing the browser's back button or backspace.
The function you're looking for is Request::server() which functions just like the $_SERVER super global, so to get the page referer you'd do the following.
$referer = Request::server('HTTP_REFERER');
Using Request::header('refer') will only work for POST requests.
GET requests are the one your're looking for.
You can use Request::segment(1) or Request::segment(2), depends on the exact URL you're using.
How can I hide ?ref string from users but pass it to php code so it will grab it?
For example, visitor visits this page:
http://mysite.com/?ref=ref+string
In browser URL I want to hide it, so user will see"
http://mysite.com/
But I want to grab content of ref string via this:
$ref = $_GET['ref'];
Is it possible?
No, if you want to use GET variables, they will always be in the url.
However, you can use an alternative, like $_SESSION or $_POST variables.
You could try something like this at the top of your PHP script:
session_start();
if (isset($_GET['ref'])) {
$_SESSION['ref'] = $_GET['ref'];
header('Location: /');
exit();
}
You would have to use $_SESSION['ref'] to access the value from then on, however.
This is not how the http protocol works with query strings. If you have information that needs to be in the query string that you want to hide or obfuscate from the user, I would recommend a simple encryption to change it. If you're attempting to get rid of this information for aesthetic reasons, you will need to pursue a different method of generating the header or storing the information (session/cookies/etc).
I have a form that submits to the same page. Now when it gets submitted and after it's processed I need it to have a unique query string.
So for example the user inputs some info then clicks submit, then the page saves the info on the server then the server spits it back out with a unique query string for that info.
If I try to set $_SERVER['QUERY_STRING'] it just hangs. Is there another way to do this?
Is it possible with a redirect?
EDIT, I'm going from mysite.com/ and the form action is on mysite.com/ and I want the browser to go to mysite.com/?blah
OK I tried putting this on my the top of my page with no luck
<?php
if ($_POST['data']) header('location: /?' . idFromDifferentFunction() );
?>
but it just keeps loading, I'm guessing it just redirects itself to death.
I hope you now understand what I'm trying to do
Chances are that your script is continuing to run after the code that says it should redirect. You also need to be more precise with the header:
<?php
if (isset($_POST['data'])) {
header('Location: /?' . idFromDifferentFunction() );
exit;
}
?>
If you use the code above, it will make the script exit which dumps the output and the browser will see the redirect (note the capital L in Location).
The key point is the exit following the redirect header. Without it, PHP is very likely going to continue working on whatever other code you're doing in the script.
It's not entirely clear what you're after, but I think you mean you want to go to a page with a unique value in the query string (the bit after the ?) once the processing is complete. Does this unique value need to actually reference something in the system (for a newly-created DB entry does it need to reference the ID of the new entry) or does it just have to be unique?
If it's the latter, you could just generate a random unique ID do the following:
header ('location: /path/to/script?id=' . uniqid ());
If it's the former, then replace the call to uniqid with the value of the database key.
The values in $_SERVER are set at runtime by PHP and should be considered read-only. Changing their values will have no meaningful effect.
$_SERVER['QUERY_STRING'] is part of PHP's globals. You should not be setting those variables, instead set it via a session and return it after submission.
If you are trying to redirect the user to a specific URL then use:
header('Location: mysite.com/bla/bla');
Writing to $_SERVER is pointless. It doesn't affect the client browsers in any way. If you want to change the query string displayed in the client browser, you'll have to use a 301/302 redirect using a header('Location: ...') call.
<?php
$camefrom =$_SERVER['HTTP_REFERER'];
if ((substr($camefrom,0,26) == "http://www.fromperson.com")
header( 'Location: http://toperson.com' ) ;
?>
I need to redirect to www.to.com if the request was made from www.from.com. This code resides in www.thridperson.com/index.php
$camefrom is always empty.
I have read that $_SERVER['HTTP_REFERER'] is not reliable. Is there any other way to perform this redirection?
Note: I have lost the access to old domain i.e fromperson.com. So, I cannot change this redirection logic it has to be done this way and it has to done only in thirdperson.com/index/php
$_SERVER['HTTP_REFERER'] is indeed unreliable. A client (browser) is not required to include it in the request. If you need a bullet-proof solution that will always work you will have to moddiffy your application on `fromperson.com' to include some GET parameter when linking to your web page, and then you can check if that GET parameter exists and then do the redirect.
No way to do according to my requirement
Hi in a simple page i use php and javascript redirect to return to referrer page.
header("Location: $refererScript");
onclick="window.location.href='<?=$refererScript?>';"
Which is the best way to protect those scripts from generate errors:
Ex. should i use urlencode for $refererScript (or at least for query string ) and if so will this acceptable from javascript or must use escape (or something else)
For $refererScript i use the code above
$ref=$_SERVER["HTTP_REFERER"];
$refererParts = parse_url($_SERVER['HTTP_REFERER']);
$refererQuery=$refererParts["query"];
$refererFolders=explode("/",$refererParts["path"]);
$refererScript=$refererFolders[sizeof($refererFolders)-1];
if($refererQuery!="")
{ $refererScript.="?".$refererQuery; }
Thanks
I would suggest you to use php header approach because if javascript is disabled, then there will be no redirect and you should url encode it eg:
$refererScript = urlencode($refererScript);
header("Location: $refererScript");
In the $_SERVER["HTTP_REFERER"]; should be already valid URL. If not, someone changed it manually and will get redirected to the wrong page.
I don't see any security risks here. Your code is fine.