Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 3 123 LastLast
Results 1 to 15 of 33
  1. #1
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts

    $_server['http_referer']

    I want the user to go to my finish.php page only if he came from Paypal...otherwise, he gets sent to yahoo.com

    Is this right?

    <?php

    if ($_SERVER['HTTP_REFERER']="https://www.palpal.com"){
    echo "<body onload=\"document.location.href='finish.php'\">";
    }

    else {
    echo "<body onload=\"document.location.href='http://yahoo.com'\">";
    }

    ?>

    Thanks
    Last edited by zoobie; 08-11-2002 at 01:20 AM.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #2
    Regular Coder
    Join Date
    Jul 2002
    Location
    London, UK
    Posts
    126
    Thanks
    0
    Thanked 0 Times in 0 Posts
    There are a couple of problems with that..

    Firstly, for what should be an equivalence test you're doing an assignment, i.e.:

    PHP Code:
    if ($_SERVER['HTTP_REFERER'] = "https://www.paypal.com"
    Will attempt to assign https://www.paypal.com and if the assignment succeeds the statement will return true. Try using == instead.

    Secondly, you're testing to see if the referer exactly matches that, and unless there's a link from the main site on paypal to your page this will never be the case. Perhaps a more fuzzy match would be better, like:

    PHP Code:
    if (eregi("^https://www.paypal.com"$_SERVER['HTTP_REFERER'])) 
    Which will check to see if the referer starts with the paypal address.

    Thirdly, you can't actually rely on the HTTP_REFERER variable to be at all secure or indeed to even exist - it's sent by the browser to the server.

    Fourthly, you're using JavaScript to redirect the user, when you can output a redirection header instead like this:
    PHP Code:
    header ("Location: finish.php"); 
    Unless of course you've already output some headers, but I can't see why you would've done this if you wanted to redirect the user..

    Hope that helps a bit.
    Last edited by Mouldy_Goat; 08-13-2002 at 02:22 AM.

  • #3
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I'm using your fuzzy code and took out the double quotes...but I'm still ending up at yahoo.

    <?php

    if (eregi("^<a href='https://www.paypal.com' target='_blank'>https://www.paypal.com</a>", $_SERVER['HTTP_REFERER']))
    {
    header ("Location: finish.php");
    }

    else {
    header ("Location: http://yahoo.com");
    }

    ?>

    I also saw where the $_SERVER['HTTP_REFERER'] is working fine by using info() at my host. It showed me coming from the file manager.

    Fix?

    Thanks
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #4
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I think the confusion comes from vBulletins automagic URL replacement. What mouldy_goat proposed should have originally only been the URL with the ^ appended, so that only referers that really start with http://www.paypal.com should be matches (otherwise, an URL like http://www.domain.com/para=http://www.paypal.com would also match, but as you see it doesn't come from paypal).

    PHP Code:
    if (preg_match("~^http://www.paypal.com~i"$_SERVER['HTTP_REFERER'])) {
        include(
    'finish.php');

    a) I've used preg_ functions because... they are more versatile and I'm used to employ them, there is no real difference to eregi except the pregs_ run some nanoseconds faster.

    b) Better use include than header() statements for including files that require some sort of authentication. header() statements get executed by the client, and that may not be a correctly working browser, but rather a script etc. If you use include, your file contents get directly displayed totally relying on PHPs abilities, so there's one security issue less.

    Also, be warned that the HTTP_REFERER is not a secure value to base authentication on. It gets passed by the browser to the server; thus it is also possible to manipulated this header statement.

  • #5
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I'm still going to yahoo rather than my finish.php page by using

    http://www.paypal.com~i

    and even

    https://www.paypal.com~i
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    What code did you use and has the refererer been set? Check that by echoing $_SERVER['HTTP_REFERER'].

    IIRC this variable gets only set when you click on a link from the specified page, but I may wrong on this.

  • #7
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I'm using your code. The user clicks on a "continue" link at paypal which sends them to my return.php page which has the code you gave me on it.

    Let me try an echo.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #8
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Using echo "$_SERVER['HTTP_REFERER']"; now all I get is

    Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in return.php

    I can see when the user hovers over "continue" in paypal, my link to the return.php page in the status bar.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #9
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Try

    PHP Code:
    echo $_SERVER['HTTP_REFERER']; 

  • #10
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    It doesn't echo or print...just shows a blank page using echo $_SERVER['HTTP_REFERER'];
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #11
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Might mean that in your case, the variable does not get set. Have you tried in combination with isset()?

    As I mentioned above, relying on HTTP_REFERER is hazardous.

  • #12
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I tried isset() but it still shows nothing. I'm wondering if it's because it's coming from a secure site (https).

    My main host is down for 2 days so I'm using Tripod.co.uk for testing which is using Version 4.1.0

    I don't see SERVER['HTTP_REFERER'] listed...just

    HTTP_X_FORWARDED_HOST members.lycos.co.uk
    HTTP_X_FORWARDED_SERVER members.lycos.co.uk
    HTTP_X_HOST members.lycos.co.uk
    HTTP_X_SERVER_HOSTNAME members.lycos.co.uk

    Here's the info page.
    Last edited by zoobie; 08-12-2002 at 10:37 PM.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #13
    Regular Coder Feyd's Avatar
    Join Date
    May 2002
    Location
    Los Angeles, CA Maxim: Subvert Society
    Posts
    404
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Code:
    if (strstr($_SERVER['HTTP_REFERER'],"paypal.com")) {
    	header ("Location: finish.php");
    } else {
    	header ("Location: http://yahoo.com"); 
    }
    works fine for me...
    Moderator, Perl/CGI Forum
    shadowstorm.net - subvert society

  • #14
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    It doesn't for me.

    Here's the info page.

    I've tried 5 codes now...
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #15
    Regular Coder Feyd's Avatar
    Join Date
    May 2002
    Location
    Los Angeles, CA Maxim: Subvert Society
    Posts
    404
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Tried using just $HTTP_REFERER?
    Tried just echoing $_SERVER['HTTP_REFERER'] to see if it shows up?
    Are you doing this inside of a function or straight to page?
    Moderator, Perl/CGI Forum
    shadowstorm.net - subvert society


  •  
    Page 1 of 3 123 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •