$_server['http_referer'] [Archive]

View Full Version : $_server['http_referer']

zoobie

08-11-2002, 12:56 AM

I want the user to go to my finish.php page only if he came from Paypal...otherwise, he gets sent to yahoo.com

Is this right?

<?php

if ($_SERVER['HTTP_REFERER']="https://www.palpal.com"){
echo "<body onload=\"document.location.href='finish.php'\">";
}

else {
echo "<body onload=\"document.location.href='http://yahoo.com'\">";
}

?>

Thanks:p

Mouldy_Goat

08-11-2002, 02:06 AM

There are a couple of problems with that..

Firstly, for what should be an equivalence test you're doing an assignment, i.e.:

if ($_SERVER['HTTP_REFERER'] = "https://www.paypal.com")
Will attempt to assign https://www.paypal.com and if the assignment succeeds the statement will return true. Try using == instead.

Secondly, you're testing to see if the referer exactly matches that, and unless there's a link from the main site on paypal to your page this will never be the case. Perhaps a more fuzzy match would be better, like:

if (eregi("^https://www.paypal.com", $_SERVER['HTTP_REFERER']))
Which will check to see if the referer starts with the paypal address.

Thirdly, you can't actually rely on the HTTP_REFERER variable to be at all secure or indeed to even exist - it's sent by the browser to the server.

Fourthly, you're using JavaScript to redirect the user, when you can output a redirection header instead like this:
header ("Location: finish.php");

Unless of course you've already output some headers, but I can't see why you would've done this if you wanted to redirect the user..

Hope that helps a bit.

zoobie

08-11-2002, 07:47 AM

I'm using your fuzzy code and took out the double quotes...but I'm still ending up at yahoo.:confused:

<?php

if (eregi("^<a href='https://www.paypal.com' target='_blank'>https://www.paypal.com</a>", $_SERVER['HTTP_REFERER']))
{
header ("Location: finish.php");
}

else {
header ("Location: http://yahoo.com");
}

?>

I also saw where the $_SERVER['HTTP_REFERER'] is working fine by using info() at my host. It showed me coming from the file manager.

Fix?

Thanks

mordred

08-11-2002, 02:12 PM

I think the confusion comes from vBulletins automagic URL replacement. What mouldy_goat proposed should have originally only been the URL with the ^ appended, so that only referers that really start with http://www.paypal.com should be matches (otherwise, an URL like http://www.domain.com/para=http://www.paypal.com would also match, but as you see it doesn't come from paypal).

if (preg_match("~^http://www.paypal.com~i", $_SERVER['HTTP_REFERER'])) {
include('finish.php');
}

a) I've used preg_ functions because... they are more versatile and I'm used to employ them, there is no real difference to eregi except the pregs_ run some nanoseconds faster.

b) Better use include than header() statements for including files that require some sort of authentication. header() statements get executed by the client, and that may not be a correctly working browser, but rather a script etc. If you use include, your file contents get directly displayed totally relying on PHPs abilities, so there's one security issue less.

Also, be warned that the HTTP_REFERER is not a secure value to base authentication on. It gets passed by the browser to the server; thus it is also possible to manipulated this header statement.

zoobie

08-11-2002, 07:57 PM

I'm still going to yahoo rather than my finish.php page by using

http://www.paypal.com~i

and even

https://www.paypal.com~i :confused:

mordred

08-11-2002, 09:58 PM

What code did you use and has the refererer been set? Check that by echoing $_SERVER['HTTP_REFERER'].

IIRC this variable gets only set when you click on a link from the specified page, but I may wrong on this.

zoobie

08-11-2002, 10:29 PM

I'm using your code. The user clicks on a "continue" link at paypal which sends them to my return.php page which has the code you gave me on it.

Let me try an echo.

zoobie

08-11-2002, 11:35 PM

Using echo "$_SERVER['HTTP_REFERER']"; now all I get is

Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in return.php

I can see when the user hovers over "continue" in paypal, my link to the return.php page in the status bar.

mordred

08-12-2002, 02:20 AM

Try

echo $_SERVER['HTTP_REFERER'];

zoobie

08-12-2002, 09:04 PM

It doesn't echo or print...just shows a blank page using echo $_SERVER['HTTP_REFERER']; :eek:

mordred

08-12-2002, 09:25 PM

Might mean that in your case, the variable does not get set. Have you tried in combination with isset()?

As I mentioned above, relying on HTTP_REFERER is hazardous.

zoobie

08-12-2002, 10:24 PM

I tried isset() but it still shows nothing. I'm wondering if it's because it's coming from a secure site (https).

My main host is down for 2 days so I'm using Tripod.co.uk for testing which is using Version 4.1.0

I don't see SERVER['HTTP_REFERER'] listed...just

HTTP_X_FORWARDED_HOST members.lycos.co.uk
HTTP_X_FORWARDED_SERVER members.lycos.co.uk
HTTP_X_HOST members.lycos.co.uk
HTTP_X_SERVER_HOSTNAME members.lycos.co.uk

Here's (http://members.lycos.co.uk/zoobie/info.php) the info page.

Feyd

08-12-2002, 10:31 PM

if (strstr($_SERVER['HTTP_REFERER'],"paypal.com")) {
header ("Location: finish.php");
} else {
header ("Location: http://yahoo.com");
}

works fine for me...

zoobie

08-12-2002, 10:56 PM

It doesn't for me. :(

Here's (http://members.lycos.co.uk/zoobie/info.php) the info page.

I've tried 5 codes now...:mad:

Feyd

08-12-2002, 11:04 PM

Tried using just $HTTP_REFERER?
Tried just echoing $_SERVER['HTTP_REFERER'] to see if it shows up?
Are you doing this inside of a function or straight to page?

Mouldy_Goat

08-13-2002, 02:25 AM

I don't see SERVER['HTTP_REFERER'] listed...

There won't be a referrer variable if you're not referred to the web page, follow this link (http://members.lycos.co.uk/zoobie/info.php) and it'll show up. I edited my post to take out the url matching problem, try the code now.

zoobie

08-13-2002, 04:32 AM

Nope...Nothing works. :mad:

I know the "continue" link is working on paypal because I see my finish.php page in the status bar on hover.

Bummer :(

zoobie

08-13-2002, 10:41 AM

Can anyone solve this? I can't get it to echo, print, isset(), etc. but I know the link is being clicked on and there is a SERVER['HTTP_REFERER'] set up in the php.

This is an exercise in futility. :mad:

zoobie

08-14-2002, 03:56 AM

My guess is that it is echoing...but there's nothing to echo. This is why it's failing. The first code probably worked...but Paypal has somehow disabled the clicked link...even though it's showing in my status bar on hover. :D

zoobie

08-15-2002, 09:33 PM

Guess who's back? :D

Well, I just got off the phone with Paypal. They said the "continue" link on the final page is indeed a direct link to my next page shown in the status bar. I thought maybe they'd disabled it somehow.

Let's start at the beginning...

Why isn't echo $_SERVER['HTTP_REFERER']; echoing?

My host is using v4.22 and has it enabled.

zoobie

08-15-2002, 11:12 PM

zoobie

08-16-2002, 06:53 PM

So...How can SERVER['HTTP_REFERER'] not be in the above list...yet when you click on my info.php page on my sites ( Host CDI (http://users.cdiweb.us/zoobie/info.php) &
Host Tripod (http://members.lycos.co.uk/zoobie/info.php) ).... it is? :rolleyes:

stuntboy

08-16-2002, 07:08 PM

HTTP_REFERER wont be in the list unless there is one. And thinking on why there would not be one and the only thing that comes to mind as being remotly possible is would paypal's server would be secure (https protocol) and may not pass a referer. Though I have never heard of this it is possible. I dont have a secure server handy to test this on. I will try and get one set up (though I dont have a certificate) and see if that is what is your problem

mordred

08-16-2002, 07:38 PM

I may be severely mistaken, but I don't think it's the server (in this case - paypal.com) that "sends" the HTTP_REFERER. It's the user agent. The client. Our loved browser. It's like a special message it sends to with the next GET request to the different server, and thereby telling him "oh, by the way, I just came from xyz.com".

That's also why it's insecure to rely on the HTTP_REFERER, because the client decides in the long run what actually gets sent to the next server, and not the previous server. So I believe zoobie's problem can't be fixed through PHP, because it seems that his (user agent|browser) does not like sending the HTTP_REFERER from the secured site, as stuntboy supposed too.

stuntboy

08-16-2002, 07:42 PM

lol. I dont know why I have always thought the server was sending the HTTP_REFERER. It is one of the things I never really thought about, but now that I do it is kinda rediculous to think the server would send it

zoobie

08-16-2002, 09:50 PM

But, it's showing in my browser fine when I click on the above links and go to the info.php pages of my sites. I also called Paypal and they said the final page with the 'continue' link was a direct link to my thank you page and should work fine with SERVER['HTTP_REFERER'].

This is beyond fustrating...:mad:

stuntboy

08-16-2002, 09:56 PM

So you put the links to phpinfo() on the paypal to test and it came up?

If that is happening I have no Idea what it could be

zoobie

08-16-2002, 10:38 PM

Good idea. I put the info.php as the 'continue' link at Paypal...Nothing showed up on the info.php list directly linked from Paypal.

I read where SERVER['HTTP_REFERER'] worked for most browsers...but maybe my security settings, which are pretty high, have somehow interferred with it.

Or perhaps, like you said, it's the fact it's coming from a https secure site...dunno.

Perhaps you could try it :eek:

Feyd

08-16-2002, 11:33 PM

Aer you perhaps behind a firewall that is stripping personal header information (which would remove the referer from the browser)? (At this point, I'm just ruling everything out).

And try using plain old $HTTP_REFERER, as _SERVER may give you some obstacles depending on your version of PHP.

zoobie

08-17-2002, 02:38 AM

Yes...I'm behind a Zonealarm firewall...but wasn't aware it did that. I'll turn it off and use your suggestions. Thx

Working...

zoobie

08-18-2002, 12:31 AM

Actually, now that I think about it, so many people are using firewalls, turning mine off won't make them turn theirs off.

Hmm...Back to square one...:rolleyes:

yesudo

04-19-2004, 12:22 AM

Sure you have probably sorted this by now.

But for anyone else trying - play with your firewall settings - as this worked for me:

$referer = getenv( "HTTP_REFERER" );

$tapps_referer = "http://www.paypal.com";

// referer check
if (isset($tapps_referer) && $tapps_referer!="")
{

if ($i=strpos($referer,"?"))
{
$referer= substr($referer,0,$i);
}
if ($tapps_referer != $referer)
{

header ("Location: www.paypal.com");

}
else
{
header ("Location: finish.php");
}

}

missing-score

04-19-2004, 01:10 AM

on your machine, do you have any type of firewall installed? I know I do and I block my referer information... Many people are starting to for security and privacy reasons, so its really something not to rely on... If the browser doesnt send a referer, it doesnt get set, hence your errors.

try:

var_dump($_SERVER);

and if HTTP_REFFERER doesnt come up then a referer is not being sent from your browser (probably due to protection software)

(EDIT: didnt see you did this above, but either way it still applies)