homepage Welcome to WebmasterWorld Guest from 54.145.172.149
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Verifying a link is coming from the current site
Comparing referrer and host
FuzzyLogik

5+ Year Member



 
Msg#: 3205173 posted 9:02 pm on Jan 1, 2007 (gmt 0)

I need to be able to compare $_SERVER["HTTP_REFERER"]; to $_SERVER["HTTP_HOST"]; and make sure they are coming from the same place.

The problem is, I don't know how to use "mid" essentially in PHP.

The returned values are:

$_SERVER["HTTP_REFERER"];
- [mydomain.com...]

$_SERVER["HTTP_HOST"];
www.mydomain.com

How would I do that?

Thanks

 

barns101

5+ Year Member



 
Msg#: 3205173 posted 9:14 pm on Jan 1, 2007 (gmt 0)

I don't know what you mean by "mid", but you should probably take a look at strpos() [php.net]. Also, remember that some web browsers will not send the referrer and so the check is not always accurate.

eelixduppy

WebmasterWorld Senior Member eelixduppy us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3205173 posted 9:16 pm on Jan 1, 2007 (gmt 0)

Welcome to WebmasterWorld, FuzzyLogik!

A referrer cannot entirely be trusted.

Maybe if I knew a little more about why you are doing this I can find an alternate solution that is a little more reliable.

FuzzyLogik

5+ Year Member



 
Msg#: 3205173 posted 10:29 pm on Jan 1, 2007 (gmt 0)

Hmm, alright.

Basically, I want to link to a site without actually linking to it, so I have the following in my .htacccess:

RewriteRule ^offsite/([A-Za-z0-9_\ %\.\\-]+)$ redirect.php?site=$1

which will take any url, such as:
[mysite.com...]

and pass it to redirect.php?site=thissite.com

redirect was going to(prior to my finding out it wouldn't always work) check the referrer and make sure it matched the host, so people can't just type in any url, it had to be coming from my site.

How else would you recommend I do this?

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3205173 posted 11:58 pm on Jan 1, 2007 (gmt 0)

Why does it matter if people type their own URLs? Are you worried about loss of bandwidth over time due to bookmarks, etc? Or is it a security concern?

FuzzyLogik

5+ Year Member



 
Msg#: 3205173 posted 12:02 am on Jan 2, 2007 (gmt 0)

Phishing. I don't want people to say, "look, my site is hosting at so-and-so's site. www.mysite.com/offsite/virusinstall.com

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3205173 posted 3:37 am on Jan 2, 2007 (gmt 0)

Ah, good point. Last I checked, about 10% if my hits didn't have the proper referral. But at least one site I know of seems to use the referrer anyway, to protect its images.

You could probably set up a cookie-based system to only allow the redirect if the user has been to a referring page within the last hour or two. It would take some work, though.

FuzzyLogik

5+ Year Member



 
Msg#: 3205173 posted 4:22 pm on Jan 2, 2007 (gmt 0)

I would rather not use cookies or sessions, is there another way?

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3205173 posted 4:54 pm on Jan 2, 2007 (gmt 0)

You could give the redirect script a security code, and generate a new valid code each time someone hits a calling page. Of course all of the calling pages would have to be PHP, but you could use an algorithm to generate and validate the codes, so that you wouldn't have to keep a list of them. The codes could be time-based so that they expire.

Or for another solution, you could store all of the links in a database, and refer to them with a code, like TinyURL does. That might be harder to maintain, but it would be most secure.

FuzzyLogik

5+ Year Member



 
Msg#: 3205173 posted 5:06 pm on Jan 2, 2007 (gmt 0)

I was thinking about the code one before, but I'm not entirely how how the best way to go about that is.

I would need an encyption alg. that others don't have access to. I guess I could md5 a text string with a timestamp, but that seems silly, really.

Any suggestions on the best way to implement the code version? (I would prefer a 4-5 digit code, if it has to be in the URL itself. such as:

mysite.com/offsite/yoursite.com?f49Kd

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3205173 posted 5:25 pm on Jan 2, 2007 (gmt 0)

I'll sticky you some code.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved