getenv(HTTP_REFERER)

entint · 06-09-2005, 06:37 AM

Hi, I'm having a problem with some php that I've written to check to see if the site calling my PHP script is in fact from my site, and if they're not I have it read a document to tell them that they can't call the script from outside of my site. The below section of the script works absolutely fine, but the problem is that getenv(HTTP_REFERER) doesn't return anything. From what I'm guessing this is because I am calling the php script from a javascript function (semi ajax using xmlhttprequest). I don't understand why getenv(HTTP_REFERER) doesn't return a value though because it's still being called from within my site... Can anyone help me?

P.S. The fact that getenv(HTTP_REFERER) doesn't return a value makes it so that no matter what every time my script is called I get the "outside.html" file.

PHP Code:


			
$homeurl = "www.somewebsite.com";

$callinghttp = getenv("HTTP_REFERER");



$callingurl = ereg_replace("http://", "", $callinghttp);

$url = stristr($callinghttp, $homeurl);



if ($url === false) {

    readfile("outside.html");

    exit;

}

P.P.S. My page that calls my javascript function is html, and the function is called from a form onSubmit.

SeeIT Solutions · 06-09-2005, 07:53 AM

have you tried using

PHP Code:


			
$_SERVER['HTTP_REFERRER']

?

also, you have referrer spelt incorrectly.

entint · 06-09-2005, 08:04 AM

Yeah I tried that a few moments ago as well, still no luck...Any other ideas? maybe something that would parse on the html page and then send through the javascript to the php? I don't know how that would work but it would solve the problem because it wouldn't have to be called from the php script and could be called on the actual referring page...

Yes I know referrer is spelt wrong, but in php (among other coding languages) this is the spelling that they use since the mispelled word somehow made it into the HTTP standard...don't ask me why

it's just the way they did it...

entint · 06-09-2005, 08:23 AM

Just for reference, and to make sure that I'm not doing anything wrong in my html and javascript to accomplish this, here's the relevant parts of all of my code. Can somenoe please help me out?

Relevant HTML Code:

Code:

<div id="content">
	<h2>Email Us:</h2>
	<form name="formmail" action="mail.php" method="get" onsubmit="sendMail(this.action); return false;">
		<input type="hidden" name="to" value="info@entintdesign.com" />
						
		<div><label for="name">Name:</label></div>
		<input type="text" name="name" />
						
		<div><label for="email">Email:</label></div>
		<input type="text" name="email" />
						
		<div><label for="subject">Subject:</label></div>
		<input type="text" name="subject" />
						
		<div><label for="message">Message:</label></div>
		<textarea name="message" rows="" cols=""></textarea>
						
		<div>&nbsp;</div>
		<input type="submit" name="submit" value="Send" class="btn" />
	</form>
</div>

Relevant Javascript:

Code:

// HTTPRequest Object
function loadXMLDoc(url) 
{
    if (window.XMLHttpRequest) {    // branch for native XMLHttpRequest object
        req = new XMLHttpRequest();
        req.onreadystatechange = processReqChange;
        req.open("GET", url, true);
        req.send(null);
    } else if (window.ActiveXObject) {    // branch for IE/Windows ActiveX version
        req = new ActiveXObject("Microsoft.XMLHTTP");
        if (req) {
            req.onreadystatechange = processReqChange;
            req.open("GET", url, true);
            req.send();
        }
    }
}
// req Change processor
function processReqChange() 
{
    if (req.readyState == 4) {    // readyState = Complete
        if (req.status == 200) {        // status = Okay
			if(document.getElementById) {
	            document.getElementById("content").innerHTML = req.responseText;
			}
        } else {
            alert("There was a problem retrieving the data you requested:\n\n" + req.status + ": " + req.statusText);
			closeArrow();
        }
    }
}
// Mail Form Page Call
function sendMail(whichURL) {
	var to = document.formmail.to.value;
	var from = document.formmail.name.value;
	var email = document.formmail.email.value;
	var subject = document.formmail.subject.value;
	var message = document.formmail.message.value;
	thisURL = whichURL + "?to=" + to + "&name=" + from + "&email=" + email + "&subject=" + subject + "&message=" + message;
	loadXMLDoc(thisURL);
}

Relevant PHP where problem arises

PHP Code:


			
$callingurl = getenv("HTTP_REFERER");

$callingurl = ereg_replace("http://", "", $callinghttp);

$url = stristr($callinghttp, $homeurl);



if ($url === false) {

    readfile("outside.html");

    exit;

}

Harry Armadillo · 06-09-2005, 08:25 AM

In your xmlhttprequest function, you'll have to set ther Referer header yourself.

req.setRequestHeader("Referer", "http://whatever/etc/");

SeeIT Solutions · 06-09-2005, 08:27 AM

did you see my note about referrer being spelt incorrectly?

entint · 06-09-2005, 08:31 AM

yea I did check the post I responded with I have edited it since

Is there any other way Harry? That way just doesn't seem very secure...If that is the only way then I guess I have to use it...

Harry Armadillo · 06-09-2005, 08:42 AM

xmphttp requests don't send a referer by default; if you want one, you have to send it yourself.

If you want higher security, sessionid.

entint · 06-09-2005, 08:47 AM

ok sounds good. thanks a bunch