Make sure user is referred from specific page

Discussion in 'PHP' started by sitefever, May 25, 2007.

Thread Status:
Not open for further replies.
0
  1. #1
    I know this is possible because I have seen it in a few scripts before, but I forgot exactly how the language was put.

    I have a link on a page inside a password protected folder, lets call it domain.com/protected/hide.php.

    When the user clicks on the hyperlink, they will be redirected to domain.com/folder/page.php

    I want to write somewhere on page.php to be sure the visitor came from hide.php, otherwise display an error message. How can I do this?

    Thank you!
     
    sitefever, May 25, 2007 IP
  2. projectshifter

    projectshifter Peon

    Messages:
    394
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #2
    if (!GETENV('HTTP_REFERER') == 'http://www.domain.com/protected/hide.php')
    die('Error!');

    Something along those lines should work. Keep in mind www.domain.com and domain.com are different, it never hurts to toss in a redirection for your pages so everything is www (plus helps with your PR and such)
     
    projectshifter, May 25, 2007 IP
  3. sitefever

    sitefever Banned

    Messages:
    782
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I was going to give that a try, but I was wondering if there is any way to set HTTP_REFERER to any page under a certian folder. For example allow any user from /folder1/page1, page2, page3, etc. instead of allowing only an exact address.
     
    sitefever, May 25, 2007 IP
  4. Paris Holley

    Paris Holley Peon

    Messages:
    27
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    what you want to do then is somethin like this..


    
$urls = array('folder1','folder2','folder3');

if( in_array( GETENV('HTTP_REFERER') , $urls ) )
  echo 'yes';
else
  echo 'no';
    PHP:
     
    Paris Holley, May 25, 2007 IP
  5. projectshifter

    projectshifter Peon

    Messages:
    394
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I don't think that's going to work. You can do a substr() check or explode() to break it apart and just check certain parts.
     
    projectshifter, May 26, 2007 IP
  6. rodney88

    rodney88 Guest

    Messages:
    480
    Likes Received:
    37
    Best Answers:
    0
    Trophy Points:
    0
    #6
    You can do this but not with HTTP_REFERER. When your browser makes a request for a page, it'll usually send an additional header containing "Referer: http://www.url.to/previous/page.php". This value is then accessible to scripts under the global $_SERVER array as $_SERVER['HTTP_REFERER'].. but since it's an optional header sent by the client, you cannot rely on it at all. Users can set the referrer to be any URL (or even any value) they want, but more commonly problems arise where the browser does not send anything at all.

    If you want to check where a user came from reliably, you'll need to use sessions. Basic example:
    # Place this in the /protected/hide.php file, at the very top before any output
session_start();
$_SESSION['verified'] = true;

# Then on every page you want to ensure the user has been verified, put
session_start();
if ( empty($_SESSION['verified']) )
    die('Unverified user. <a href="/">Return to homepage</a>.');
    PHP:
     
    rodney88, May 26, 2007 IP
Thread Status:
Not open for further replies.