Here's the situation:
We use an affiliate tracking program that uses an embedded image tag to call up a php order logging script. The image tag appears on the order confirmation page in our 3rd party shopping cart and passes the order amount, order ID, and our account # to the php script, like this:
<img src="http://www.somesite.com/orderscript.php?AID=002773&amount=XXXX&orderid=YYYY" width=1 height=1>
(where XXXX and YYYY stand for variables specific to our shopping cart).
I want to make this more secure by calling up a handshaking script that first verifies the call to the script came from our specific order confirmation page and then redirects the call to the final logging script after rebuilding the URL query string.
The problem is that our order confirmation page is secured "HTTPS://www...." so that the function
getenv(HTTP_REFERER);
doesn't work. Nothing is returned. It's either null or empty (I haven't yet tested which it is).
Apparently there is a way to pull the URL using ASP, though I don't know this for certain. Does anyone know of a way to use php to verify the referring page when that page is delivered over a secured connection? The verification must occur outside of the code that would appear in the "view source" for the order confirmation page, otherwise someone could easily determine the verification that is being conducted and simply mimmick the call in his/her own browser outside of the order confirmation page.
Many thanks for your help. 🙂
Tim
