Welcome to WebmasterWorld Guest from 54.226.47.198

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Verifying a link is coming from the current site

Comparing referrer and host

     
9:02 pm on Jan 1, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 1, 2007
posts:24
votes: 0


I need to be able to compare $_SERVER["HTTP_REFERER"]; to $_SERVER["HTTP_HOST"]; and make sure they are coming from the same place.

The problem is, I don't know how to use "mid" essentially in PHP.

The returned values are:

$_SERVER["HTTP_REFERER"];
- [mydomain.com...]

$_SERVER["HTTP_HOST"];
www.mydomain.com

How would I do that?

Thanks

9:14 pm on Jan 1, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 6, 2005
posts:575
votes: 0


I don't know what you mean by "mid", but you should probably take a look at strpos() [php.net]. Also, remember that some web browsers will not send the referrer and so the check is not always accurate.
9:16 pm on Jan 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


Welcome to WebmasterWorld, FuzzyLogik!

A referrer cannot entirely be trusted.

Maybe if I knew a little more about why you are doing this I can find an alternate solution that is a little more reliable.

10:29 pm on Jan 1, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 1, 2007
posts:24
votes: 0


Hmm, alright.

Basically, I want to link to a site without actually linking to it, so I have the following in my .htacccess:

RewriteRule ^offsite/([A-Za-z0-9_\ %\.\\-]+)$ redirect.php?site=$1

which will take any url, such as:
[mysite.com...]

and pass it to redirect.php?site=thissite.com

redirect was going to(prior to my finding out it wouldn't always work) check the referrer and make sure it matched the host, so people can't just type in any url, it had to be coming from my site.

How else would you recommend I do this?

11:58 pm on Jan 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
posts:1316
votes: 0


Why does it matter if people type their own URLs? Are you worried about loss of bandwidth over time due to bookmarks, etc? Or is it a security concern?
12:02 am on Jan 2, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 1, 2007
posts:24
votes: 0


Phishing. I don't want people to say, "look, my site is hosting at so-and-so's site. www.mysite.com/offsite/virusinstall.com
3:37 am on Jan 2, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
posts:1316
votes: 0


Ah, good point. Last I checked, about 10% if my hits didn't have the proper referral. But at least one site I know of seems to use the referrer anyway, to protect its images.

You could probably set up a cookie-based system to only allow the redirect if the user has been to a referring page within the last hour or two. It would take some work, though.

4:22 pm on Jan 2, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 1, 2007
posts:24
votes: 0


I would rather not use cookies or sessions, is there another way?
4:54 pm on Jan 2, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
posts:1316
votes: 0


You could give the redirect script a security code, and generate a new valid code each time someone hits a calling page. Of course all of the calling pages would have to be PHP, but you could use an algorithm to generate and validate the codes, so that you wouldn't have to keep a list of them. The codes could be time-based so that they expire.

Or for another solution, you could store all of the links in a database, and refer to them with a code, like TinyURL does. That might be harder to maintain, but it would be most secure.

5:06 pm on Jan 2, 2007 (gmt 0)

New User

5+ Year Member

joined:Jan 1, 2007
posts:24
votes: 0


I was thinking about the code one before, but I'm not entirely how how the best way to go about that is.

I would need an encyption alg. that others don't have access to. I guess I could md5 a text string with a timestamp, but that seems silly, really.

Any suggestions on the best way to implement the code version? (I would prefer a 4-5 digit code, if it has to be in the URL itself. such as:

mysite.com/offsite/yoursite.com?f49Kd

5:25 pm on Jan 2, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
posts:1316
votes: 0


I'll sticky you some code.