JuniorBee
asked on
Check for referring page
Morning PHP Experts!
How can I check this code to be sure it only works when linked from a specific page on my site? If the referrer is not mypage.php then I want to set session(errorsession) to "nocheck" and redirect to errorpage.asp
<?php
include("xmlrpc.inc");
define("XMLRPC_DEBUG", 1);
Header("Content-type: text/html");
$array["Channel"] = "mychan";
$array["StringValue"] = "hello world"
$array["IntValue"] =2
list($success2, $response) = XMLRPC_request('xmlrpc.rem otesite.co m', '/cgi-bin/xmlrpc.cgi', 'llRemoteData', array(XMLRPC_prepare($arra y)));
$resp_key = $response["StringValue"];
if ($resp_key == 'Confirmed') {
header('location:complete. asp');
} else {
set_time_limit(28);
header('location:error.asp ');
}
?>
How can I check this code to be sure it only works when linked from a specific page on my site? If the referrer is not mypage.php then I want to set session(errorsession) to "nocheck" and redirect to errorpage.asp
<?php
include("xmlrpc.inc");
define("XMLRPC_DEBUG", 1);
Header("Content-type: text/html");
$array["Channel"] = "mychan";
$array["StringValue"] = "hello world"
$array["IntValue"] =2
list($success2, $response) = XMLRPC_request('xmlrpc.rem
$resp_key = $response["StringValue"];
if ($resp_key == 'Confirmed') {
header('location:complete.
} else {
set_time_limit(28);
header('location:error.asp
}
?>
ASKER
I am sorry, I know very little about PHP syntax. Could you possibly copy and paste my code so I can see where it all goes?
I tried just putting that at the top, but it did not work.
=/
I tried just putting that at the top, but it did not work.
=/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's also worth noting that HTTP_REFERER is not guarenteed to be what you expect. This is for two reasons:
1) The responsibility for setting it is given to the browser, and some browsers do not set it.
2) It is easy to write code that sets the HTTP_REFERER to whatever value is required to get through your security. Some browsers even provide a feature where you can set this.
A better solution is to host on Apache, and get the headers from the apache server direct:
<?php
$webserver=apache_request_
if( !eregi ( 'yourdomain.com', $host[Referer]) ) {
/* Your code goes here */
}else{
/* Code to reject the call */
}
?>
Sorry - typo:
<?php
$webserver=apache_request_
if( !eregi ( 'yourdomain.com', $webserver[Referer]) ) {
/* Your code goes here */
}else{
/* Code to reject the call */
}
?>
You can check the content of $_SERVER['HTTP_REFERER'] . If $_SERVER['HTTP_REFERER'] == 'http://www.your-host.com/mypage.php' then the client may proceed. Otherwise set the session and do the redirection.