Search Referring URL for phrase use If...Else to determine action

skatecrazzy

OK, so I'm new to PHP. If anyone can help me it would be GREATLY appreciated!

I already set up a password protected area on my site using php. However, a web conferencing service I use cannot access password protected pages and I need it to. I am trying to run a string search and an If...Else statement (If referring HTTP includes "phrase" do nothing, Else require login.)

Here's the code I have so far...what am I missing that the web conferencing program uses the "Else" not the "If"?
Wont this work to search the referring url for "searchparameter"?

<?php
$referer = $_SERVER['HTTP_REFERER'];
$pattern = '/^{searchparameter/';}
if (preg_match($pattern, $referer))
{
;
}
else
{
include("password_protection_file...");
}
?>

Thank you so much for any help you may be able to provide!

-skatecrazzy

sneakyimp

The first thing that occurs to me is that you cannot trust the value you find in $_SERVER['HTTP_REFERER'] because this value comes from the browser (or bot, or hacker) and it can be anything they want it to be. If you want to search any string for the word 'phrase' then use this pattern:

$pattern = '/phrase/';

If you want to search for phrase or PHRASE use this one:

$pattern = '/phrase/i';

If the string you are looking for is not actually 'phrase' but something else, you may need to use [man]preg_quote[/man].

skatecrazzy

Thank you for your quick reply!

Well, I was pretty sure I could use the $_SERVER['HTTP_REFERER'] function because I went and checked my server for the visitor logs, and the web conferencing site was listed as a referrer to my page. (I am trying to co-browse the page through the conferencing site.)

The string I am trying to search is a variable url (i.e. http://cob1.dimdim.com/dimdim/content/dimdim____newlife/regular/ra93186c05146e189f47a4aa4/2/presenter/content.html).

I am trying to search for the element 'dimdim'

And setting the pattern to $pattern = '/dimdim/i'; didn't do anything.

sneakyimp

You didn't understand me. the HTTP_REFERER information is supplied by the visitor -- it is not determined by your web server. Your web server just takes the supplied value and stores it in the log file. It is therefore not trustworthy. If I wanted to hack your site, I could just spoof some kind of 'dimdim' string in my refererer and freely visit your password-protected page.

as for it 'not working' I don't know what kind of code you are trying to run. the code in that first post doesn't look like valid php to me. also, please use the formatting tags...put [/code] after your code and put

 in front of it so it looks all nice.

skatecrazzy

Oh, ok. Well I'm actually not really that worried about the security on the protected page. If someone REALLY wanted the info they can have it, I was just trying to keep the wayward web surfer out. And the HTTP_REFERER information listed in my server logs is the ONLY "visitor" that will access that site. Do you mean that even the log that I know is accessing the site is not trustworthy? There is only a small variable piece of code, and all the accessing urls include the phrase "dimdim".

The following link is one I got off of my server logs:
http://cob1.dimdim.com/dimdim/content/dimdim____newlife/regular/r233298edddd83d8386519177/0/presenter/content.html

The page I'm using this code on is a .php page. I don't know what other kind of code you may mean. I have used a different .php code on this page, and it has operated fine.

Oops...sorry! Here's the code as I have it now.

<?php
$referer = $_SERVER['HTTP_REFERER'];
$pattern = '/dimdim/';
if (preg_match($pattern, $referer))
{
;
} 
else 
{
include("...password protection file...");
}
?>

Thanks for bearing with me on this

sneakyimp

your code doesn't appear valid...it has a dangling semicolon that doesn't follow any code...which is weird.

also, it only executes the include bit if your pattern DOES NOT MATCH. Maybe try something like this:

<?php
$referer = $_SERVER['HTTP_REFERER'];
$pattern = '/dimdim/';
if (preg_match($pattern, $referer)) {
  include("protected_content.php"); // put your secret application here
} else {
  // user didn't come from dimdim
}
?>

Now, I'm not entirely sure how this code is being access either. Sounds to me like your protected file is probably in a folder protected by http authentication -- i.e., there's an HTACCESS file in there which requires an authenticated user. Whether this works or not will depend on more than just the code we are discussing but also where your files exist and how they are requested.

We may need to get more detail about how, exactly, you have this set up.

skatecrazzy

Well, I intended for it to do that. Dimdim doesn't allow password protected pages to be co-browsed during a conference, so as long as dimdim is accessing the page I need it to be unprotected. Only if someone tries to access the script from outside, do I need the password function.

I don't think the problem is with the authentication settings because I can run the following php code with no problem.

<?php include("/...sword_protect.php"); ?>

sneakyimp

I'm not sure what you mean by 'dimdim accessing the page'. Some things to note:

HTTP_REFERER contains the url of the page that linked to the current one. For example, my development server is a mac on my network here at my home office. I put a file 'foo.php' on that computer which has nothing in it but this:

<a href="bar.php">click me</a>

If you load foo.php using a browser by visiting http://192.168.1.2:8888/foo.php (which is only valid on my local network so it won't work for you) then you click the 'click me' link, you are directed to http://192.168.1.2:8888/bar.php.

Inside bar.php, the value of HTTP_REFERER is http://192.168.1.2:8888/foo.php.

// this is bar.php
echo $_SERVER['HTTP_REFERER']; // outputs http://192.168.1.2:8888/foo.php

Given all that, I don't understand why you would want to offer access to your private area if HTTP_REFERER is NOT from dimdim. Maybe I'm missing something. Just to be clear:

$referer = $_SERVER['HTTP_REFERER'];
$pattern = '/dimdim/';
if (preg_match($pattern, $referer)) {
  // user clicked a link at dimdim to get here...or maybe this page is loaded in an iframe hosted by dimdim or something
} else {
  // user was NOT referred to this page from DIMDIM
}

skatecrazzy

Sorry, that was confusing how I wrote it. I need the dimdim referred page unprotected and all other accesses to that page to be blocked by a password protection.

The code you gave is correct. I'm getting the feeling that dimdim cobrowsing isn't actually referring the site on my end of the conference, but only on the other person's end.

$referer = $_SERVER['HTTP_REFERER'];
$pattern = '/dimdim/';
if (preg_match($pattern, $referer)) {
  // user clicked a link at dimdim to get here...or maybe this page is loaded in an iframe hosted by dimdim or something
} else {include (password protection code, since dimdim didn't refer the access)
  // user was NOT referred to this page from DIMDIM
}

Looks alright to me.

What I'm trying to do may just not be possible. I may just have to remove the password protection to the page when I need to access it through dimdim.

sneakyimp

Well it's definitely possible to branch your code based on the contents of HTTP_REFERER. If you are just loading up your page to test it, keep in mind that HTTP_REFERER might not even be set. Here's one final example:

<?php

$must_match = 'phpbuilder.com';

if (!isset($_SERVER['HTTP_REFERER'])) {
        echo 'there is no referer string, you have been shut down *****';
} else {
        echo "referer:" . $_SERVER['HTTP_REFERER'] . "\n";
        $pattern = '/' . preg_quote($must_match) . '/';
        if (preg_match($pattern, $_SERVER['HTTP_REFERER'])) {
                echo 'you came here from the privileged domains';
        } else {
                echo 'not sure where you came from but it is not privileged';
        }
}

?>

I'm not really sure what else to tell you at this point. I hope you can work it out. So far, you haven't described what "not working" means.

skatecrazzy

Well, thank you for all your help and bearing with me...at least I learned some stuff.

Thanks for the code! The response after I tested the page was that there was no HTTP_REFERER...so there's my problem. I guess I'll try to think of something else, and in the mean time just remove the password protection.

sneakyimp

You might be able to test it by forcing the referer in your code:

$referer = $_SERVER['HTTP_REFERER'];
$referer = 'http://cob1.dimdim.com/dimdim'; // REMOVE THIS LINE WHEN TESTING IS COMPLETE
$pattern = '/dimdim/';
if (preg_match($pattern, $referer)) {
  // user clicked a link at dimdim to get here...or maybe this page is loaded in an iframe hosted by dimdim or something
} else {include (password protection code, since dimdim didn't refer the access)
  // user was NOT referred to this page from DIMDIM
}

You would need to be sure to remove that line when you are finished testing though. try also setting it to any other url WITHOUT dimdim in it.