...

View Full Version : getenv(HTTP_REFERER)



entint
06-09-2005, 06:37 AM
Hi, I'm having a problem with some php that I've written to check to see if the site calling my PHP script is in fact from my site, and if they're not I have it read a document to tell them that they can't call the script from outside of my site. The below section of the script works absolutely fine, but the problem is that getenv(HTTP_REFERER) doesn't return anything. From what I'm guessing this is because I am calling the php script from a javascript function (semi ajax using xmlhttprequest). I don't understand why getenv(HTTP_REFERER) doesn't return a value though because it's still being called from within my site... Can anyone help me?

P.S. The fact that getenv(HTTP_REFERER) doesn't return a value makes it so that no matter what every time my script is called I get the "outside.html" file.



$homeurl = "www.somewebsite.com";
$callinghttp = getenv("HTTP_REFERER");

$callingurl = ereg_replace("http://", "", $callinghttp);
$url = stristr($callinghttp, $homeurl);

if ($url === false) {
readfile("outside.html");
exit;
}

P.P.S. My page that calls my javascript function is html, and the function is called from a form onSubmit.

SeeIT Solutions
06-09-2005, 07:53 AM
have you tried using
$_SERVER['HTTP_REFERRER']?

also, you have referrer spelt incorrectly.

entint
06-09-2005, 08:04 AM
Yeah I tried that a few moments ago as well, still no luck...Any other ideas? maybe something that would parse on the html page and then send through the javascript to the php? I don't know how that would work but it would solve the problem because it wouldn't have to be called from the php script and could be called on the actual referring page...

Yes I know referrer is spelt wrong, but in php (among other coding languages) this is the spelling that they use since the mispelled word somehow made it into the HTTP standard...don't ask me why :rolleyes: it's just the way they did it...

entint
06-09-2005, 08:23 AM
Just for reference, and to make sure that I'm not doing anything wrong in my html and javascript to accomplish this, here's the relevant parts of all of my code. Can somenoe please help me out?

Relevant HTML Code:

<div id="content">
<h2>Email Us:</h2>
<form name="formmail" action="mail.php" method="get" onsubmit="sendMail(this.action); return false;">
<input type="hidden" name="to" value="info@entintdesign.com" />

<div><label for="name">Name:</label></div>
<input type="text" name="name" />

<div><label for="email">Email:</label></div>
<input type="text" name="email" />

<div><label for="subject">Subject:</label></div>
<input type="text" name="subject" />

<div><label for="message">Message:</label></div>
<textarea name="message" rows="" cols=""></textarea>

<div>&nbsp;</div>
<input type="submit" name="submit" value="Send" class="btn" />
</form>
</div>


Relevant Javascript:

// HTTPRequest Object
function loadXMLDoc(url)
{
if (window.XMLHttpRequest) { // branch for native XMLHttpRequest object
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open("GET", url, true);
req.send(null);
} else if (window.ActiveXObject) { // branch for IE/Windows ActiveX version
req = new ActiveXObject("Microsoft.XMLHTTP");
if (req) {
req.onreadystatechange = processReqChange;
req.open("GET", url, true);
req.send();
}
}
}
// req Change processor
function processReqChange()
{
if (req.readyState == 4) { // readyState = Complete
if (req.status == 200) { // status = Okay
if(document.getElementById) {
document.getElementById("content").innerHTML = req.responseText;
}
} else {
alert("There was a problem retrieving the data you requested:\n\n" + req.status + ": " + req.statusText);
closeArrow();
}
}
}
// Mail Form Page Call
function sendMail(whichURL) {
var to = document.formmail.to.value;
var from = document.formmail.name.value;
var email = document.formmail.email.value;
var subject = document.formmail.subject.value;
var message = document.formmail.message.value;
thisURL = whichURL + "?to=" + to + "&name=" + from + "&email=" + email + "&subject=" + subject + "&message=" + message;
loadXMLDoc(thisURL);
}


Relevant PHP where problem arises

$callingurl = getenv("HTTP_REFERER");
$callingurl = ereg_replace("http://", "", $callinghttp);
$url = stristr($callinghttp, $homeurl);

if ($url === false) {
readfile("outside.html");
exit;
}

Harry Armadillo
06-09-2005, 08:25 AM
In your xmlhttprequest function, you'll have to set ther Referer header yourself.

req.setRequestHeader("Referer", "http://whatever/etc/");

SeeIT Solutions
06-09-2005, 08:27 AM
did you see my note about referrer being spelt incorrectly?

entint
06-09-2005, 08:31 AM
yea I did check the post I responded with I have edited it since

Is there any other way Harry? That way just doesn't seem very secure...If that is the only way then I guess I have to use it...

Harry Armadillo
06-09-2005, 08:42 AM
xmphttp requests don't send a referer by default; if you want one, you have to send it yourself.

If you want higher security, sessionid.

entint
06-09-2005, 08:47 AM
ok sounds good. thanks a bunch :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum