Know from where your script is being executed?

Z3RatuL

Hi,

I want to know from where my script is being executed. I tried using $SERVER["'HTTP_REFERER"] but this doesn't seem to work. I also checked my phpinfo and saw there wasn't any SERVER["HTTP_REFERER"] option. It should be there? This means my server doesn't support it or it does and it's not showing me any results? And if it doesn't support it how can I enable it?

dalecosp

The variable's existence depends on the web server software you are using. AFAIK, most common web servers support it. How are you testing for it?

Z3RatuL

Well, I know most web servers support it. I tested it using php's info function

phpinfo();

and about at the bottom of that page there are all the SERVER & ENV variables. All except _SERVER["HTTP_REFERER"].

I'm using apache 2.0.50 & php 4.3.9 installed on a windows xp machine.

PHPMagician

HTTP_REFERER refers to the HTTP header Referer which the client MAY send when connecting to a webserver requesting a document (or similar). It tells you where (or where the user wants you to believe) the user was last. In most cases, a link would have been clicked on this page that directed the user to your page.

However, if I access the site directly, $SERVER['HTTP_REFERER'] is not going to exist. Some firewalls will filter out $SERVER['HTTP_REFERER'] and many methods can be employed to disable the passing of the HTTP Refer header.

I don't really see how it solved you problem in the first place, however. When you say 'where', do you want to know where it directory location is on the actual server or the actual domain name being used to access the script?

Z3RatuL

Thanks for the reply PHPMagician. It's very helpfull. When I said where, like you said, I meant which domain name is being used to access the script.

dalecosp

Originally posted by Z3RatuL
Thanks for the reply PHPMagician. It's very helpfull. When I said where, like you said, I meant which domain name is being used to access the script.

Sounds a tad more like $SERVER['REMOTE_ADDR'] or $SERVER['REMOTE_HOST'], then....

Similar to what the Magician said, there's no guarantee that these will be accurate. However, REMOTE_HOST should be there, in any case. It's just that it's not totally reliable, (and indeed, nothing is ...)

PHPMagician

If HTTP/1.1 was used, _SERVER['HTTP_HOST'] should be set.

So it is a matter of:

$domain='http://'. $_SERVER['HTTP_HOST'] .$_SERVER['PHP_SELF'];

However, you cannot rely on it.

Z3RatuL

Thanks for your help guys. Especially PHPMagician. This little chunk of code is what I needed 🙂

And yes you can't rely on anything but it's good to have these lines at your scripts. These makes script kiddies work a little more complex, so I guess it won't hurt just to add these lines of code.

Z3RatuL

ok now i'm tottaly confused...

here's my test script that works fine and if http_referer is not from my domain the it displays the user ip:

if (isset($_SERVER['HTTP_REFERER'])) {

//the server he tried to execute the script
$referer=strtolower($_SERVER['HTTP_REFERER']);
if (!strstr($referer, 'mydomain.com')) {
//echo '<b>'.$referer.'</b>';
//Remote IP of the user
$remote_address = $_SERVER['REMOTE_ADDR'];

//The browser he used to connect
$user_browser = $_SERVER['HTTP_USER_AGENT'];

$date = date('j-n-Y @ H:i:s');

echo '<font face="verdana, arial" style="font-size: 11px; font-weight: bold">Your IP address is: </font><font face="verdana, arial" style="font-size: 13px; font-weight: bold; color: red">'. $remote_address .'</font><br><br>';
}
else {
	echo 'EVERYTHING IS OK!';
}
}

And here's the code I use at my site. For some reason this code doesn't look for http_referer even though it's the same as the above! If you could help I'll be very greatful:

 session_start();
 require 'includes/config.php'; 

if(isset($_SERVER['HTTP_REFERER'])) {

//the server he tried to execute the script
$referer=strtolower($_SERVER['HTTP_REFERER']);

if(!strstr($referer, 'mydomain.com')) {
//echo '<b>'.$referer.'</b>';
//Remote IP of the user
$remote_address = $_SERVER['REMOTE_ADDR'];

//The browser he used to connect
$user_browser = $_SERVER['HTTP_USER_AGENT'];

//$date = date('j-n-Y @ H:i:s');

echo '<font face="verdana, arial" style="font-size: 11px; font-weight: bold">Your IP address is: </font><font face="verdana, arial" style="font-size: 13px; font-weight: bold; color: red">'. $remote_address .'</font><br><br>';
}
else {

	$pass = trim (htmlspecialchars (addslashes ($_POST['Login'])));
	$login = trim (htmlspecialchars (addslashes ($_POST['Member'])));
	//$pass = $_POST['Login'];
	//$login = $_POST['Member'];

	$sql_username_check = mysql_query("SELECT memb_id FROM members WHERE memb_id='$login' AND memb_pwd='$pass'"); 
	$username_check = mysql_num_rows($sql_username_check); 
	$sql_pass_check = mysql_query("SELECT memb_pwd FROM members WHERE memb_pwd='$pass' AND memb_id = '$login'"); 
	$pass_check = mysql_num_rows($sql_pass_check); 
	if (empty($login) || empty($pass) || ($username_check <= 0) || ($pass_check <= 0)) {
		echo '';
	if (empty($login) || empty($pass))
		echo '<b>Error: <br>Some fields were left blank. Please go back and try again.</b>';
	elseif (($username_check <= 0) || ($pass_check <= 0))
		echo '<b>Error:<br>Bad Username / Password. Please go back and try again.</b>';
	}
	else
	{
		$_SESSION['login'] = $login;
		$_SESSION['pass'] = $pass;
	}
	if ($_SESSION['login'] == TRUE ) { 

		$sql = mysql_query("SELECT mail_addr FROM members WHERE memb_id='$login'"); 
		$mailsession =  mysql_result($sql, 0, 0);
		$_SESSION['mailsession'] = $mailsession;

		echo 'Successfully logged in. You are being redirected...
		<meta http-equiv="refresh" content="0; URL=index.php?op=account.php">';

	}

}

PHPMagician

Can we see the content of 'includes/config.php'. If it doesn't look for HTTP_REFERER, does it then go to the else, or does nothing happen?

Z3RatuL

Ok if found what the problem was...

In my site I use a flash movie so the users can connect. I found that flash doesn't pass header information and now I dont know how to fix this 🙁 I also have a normal html form that works fine. But flash login movie is the main login script.