This sort of work:
$http_referer = isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:null;
However as on the contactpage they fill in a form that uses formmail and I get the url of the contactpage where the form are instead of the page from where they came to the contactpage from....

You could set the value of a hidden field in your form to the value of $http_header. This is then submitted with the form. The formmail script can then use the value of this hidden field (the original referrer) rather than looking up the HTTP_REFERER again.

Thanks Penders,
Dont know what I am doing wrong, keep getting in email the url of the contact page....
If I do an echo I get the previous page just as I should.
This is what I have on page:
$referer= isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:null;
echo $referer;
The echo gives me the correct page.

This I have in the form, and it sends me the url of the contact page where the form is.
<label for="referer"></label><input id="referer" name="referer" type="hidden" value="$referer"/>

uups, didnt put the value in php code, now have this:

This I declare in the code before the form is sent:
$referer= isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:null;
echo $referer;
The echo gives the previous post

and this with the correct <?php quotes, still gives me as referer the contactpage where the form is on.
<label for="referer"></label><input id="referer" name="referer" type="hidden" value="<?php $referer;?>"/>

<input name="referer" type="hidden" value="<?php echo $referer;>"/>

You need to 'echo' the contents of the variable. And you don't need a label for a hidden field.

What you have seems to be OK in principle. Although if $referer is set to the contactpage it would seem that it's being recalculated. I would have thought this would only happen if you encountered some validation errors whilst processing the form and you needed to redisplay the form for the user to correct errors...?

What is the action of your form? If you are not using session variables or cookies then I think you will need to submit back to the same page (ie. contactpage) in order to maintain state, otherwise you could end up losing the $referer when redirecting back to the contact form on error, unless you include this in the URL? (Although you would also have trouble hanging on to all your other form data as well.)

// Set to actual referer initially (default) 
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : null; 
// When form is submitted, grab referer from form 
$referer = isset($_POST['referer']) ? $_POST['referer'] : $referer;

Added the echo and toke away unecesary code as label etc,
and still the same.
This is my action:
<form id='myForm' action="<?php echo $PHP_SELF;?>" method="post">

However I use header when validating, if sent succesfully, Im redirected to a page saying it has been sent.

wow, just added your code into after form is submitted:
// When form is submitted, grab referer from form
$referer = isset($_POST['referer']) ? $_POST['referer'] : $referer;

As as far I can see it works perfect, thanks a lot.

You said: unless you include this in the URL? (Although you would also have trouble hanging on to all your other form data as well.)

Can it give me problems? I dont see anything in the url with that ), and I sent one without any problems

Glad you got it working. Yes, that 2nd line of code is certainly required if navigating back to your contact form, and (without knowing exactly how your form is wired) would seem to be more important than I first thought!

You said: unless you include this in the URL? (Although you would also have trouble hanging on to all your other form data as well.)

This was only if another page/script was handling the form processing (ie. if the action was different to the contact page). You are using the same page ($PHP_SELF - although more about this in a mo) so it's OK. If this was the case you would ideally use session variables in order to temporarily store your form data (including the referer). However, you could pass back the referer in the URL when redirecting back to your contact page (as you suggest as a possibility in your initial post) eg. "http://www.example.com/path/to/contactpage.php?referer=/path/to/property_page.php". However, this could start to get messy, and is unnecessary anyway in your case (since you are doing everything on the one page).

Can it give me problems? ...

I think this should be OK most of the time. It should be noted, however, that the referer is not 100% reliable. Browsers can be configured to not send a referer. However, I would have thought that the number of real users that this affects, who visit your site and complete your contact form, would be minimal. But it is worth bearing in mind.

$PHP_SELF - If this is the unfiltered superglobal by the same name then this is a potential security issue, as it could allow a XSS injection attack. $_SERVER['PHP_SELF'] includes the entire URL including any maliciously encoded querystring on the end of the URL. Best to use $_SERVER['SCRIPT_NAME'] instead, which omits the querystring from the URL.

Thanks Penders, did not have any idea, the web is some years old, and one sort of stopped reading things :)
Am trying but get cant find the page, what am I supposed to write on 'script_name'?
Found this, isnt this safe?
action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>"

[edited by: helenp at 10:48 am (utc) on Aug 22, 2011]

Not all browsers will pass a referrer. You should use cookies and fallback to the referrer field if there's no cookie data.

If that is also missing, you should prompt the user to add the missing details.

action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>"

That might help, but it doesn't eliminate garbage from the end of the URL. If you don't require any URL params on your action, then just use:

action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"

Thank Penders,
however as I said before, what do I put on script_name?
the name of the form?
Tried everything but gets the page cant be found.

uups, tried again with the name of the page where the form is and this time it worked....
Thanks for all your help.

You seem to have resolved it, but I'm curious as to what you mean by "what do I put on script_name?" ...? There should be a superglobal already set called

$_SERVER['SCRIPT_NAME']

which holds the root-relative path to the current script (ie. the current page / contact page). An alternative to using $_SERVER['PHP_SELF'], but safer.

However, it is possible (although, I would hope, unlikely) that $_SERVER['SCRIPT_NAME'] is not actually set on your server. Is this the case for you?

The safest way (but least flexible) is to hard code the name of your script in the action attribute - which I think you have done?

Dear Penders,
I suoppose I just assumed it had to be changed, as its simmilar to Path or your_domain etc....lol

This I am using and works;
action="<?php echo $_SERVER['contact.htm']; ?>"
It gives action="" when I check the code in the browser.

Just tried as you said:
action="<?php echo $_SERVER['SCRIPT_NAME'];?>"
and the broswer gives when checking code:
action="/contact.htm"

Yeah, I did wonder. :)

This I am using and works;
action="<?php echo $_SERVER['contact.htm']; ?>"
It gives action="" when I check the code in the browser.

$_SERVER['contact.htm'] won't actually exist, so PHP will resolve this to an empty string in this case. However, PHP will issue an E_NOTICE if the appropriate error_reporting level is set which will look like an error on the page. I assume you are not seeing any 'errors', so it would seem that the error_reporting level is set so that E_NOTICE's are not output - which could well be the default.

This then results in

action=""

which does indeed work. All browsers submit the form back to the current page when the action attribute is empty. I believe this is universal among browsers - so it works. However, it is not strictly part of the HTML 4.01 spec which states that behaviour is undefined if a valid URI is not provided. However, it is due to be part of the HTML 5 spec! So, regardless of the spec, it works and AFAIK it is safe.

action="<?php echo $_SERVER['SCRIPT_NAME'];?>"
and the broswer gives when checking code:
action="/contact.htm"

Presumably "/contact.htm" is correct and this works as well? This would be the fully standards compliant way of doing it, but it will work just the same as setting

action=""

"Presumably "/contact.htm" is correct and this works as well? This would be the fully standards compliant way of doing it, but it will work just the same as setting action="" "

Yes it works as well, so I stick to that, its better as I like to copy and past code. Thanks a lot for your time and explanations.