I'm working on php page that will not open if it wasn't referred by "xxxxxxx.php"

So my code is :

$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$confirm = 'http://localhost/test/xxxxxx.php';
if ($referer == $confirm) {

echo 'You correct';

} else {

echo 'wronnnnnnnnnnng';

}

And here's xxxxxx.php content :

header("Location: http://localhost/test/code.php");

But unfortunate it doesn't work, But if I make it as echo like this

echo '<p><a href="http://localhost/test/code.php">here</a></p>';

It's working fine, But I want it to redirect not when user click on the link so I want header redirect to work so any ideas on how to get it work ?

Thanks.

    HTTP_REFERER is set by the browser, not always present, completely unreliable and well shouldn't be used.

      dagon;10975045 wrote:

      HTTP_REFERER is set by the browser, not always present, completely unreliable and well shouldn't be used.

      I've done it, But why I shouldn't use it ? It's done what I exactly want

      I want the file don't open if it wasn't referred by x.php

        2CODE wrote:

        But why I shouldn't use it ?

        For the reasons dagon listed, which again are:

        1. It is not a required header, so it may not be present at all.

        2. It's sometimes seen as a privacy concern, so it may get stripped/filtered out by any number of software/gateways/proxies/firewalls available.

        3. It can be easily modified and/or faked altogether (there are even browser plugins/extensions that make this a trivial task).

        I believe the root of your problem, however, lies in the fact that 'Location:' redirects won't update the 'Referer' header by design (since you're telling the browser "hey, you're at the wrong URI... use this one instead:").

        Instead, try using a 'Refresh' header instead (e.g. with a 0 second delay), or try altering the HTTP status code (e.g. to 200, 303, or 307).

          try using a 'Refresh' header instead (e.g. with a 0 second delay), or try altering the HTTP status code (e.g. to 200, 303, or 307).

          Yes, That's exactly what I've done 🙂
          Thanks.

            Out of curiosity, can you clarify which one worked for you? I'm guessing the 'Refresh' header in place of the 'Location' header?

              That's what is working for me :

              <META HTTP-EQUIV="Refresh" CONTENT="1; url=http://www.ttttttttttttttttttttttttttt.com">

                Glad you got it working. Note that you could probably do the same without outputting any (likely ill-formed) HTML documents by using headers:

                header('Refresh: 0; URL=http://mysite.com');

                  Yes. That's also working. Thank you 🙂

                    Write a Reply...