Page 1 of 2

PHP Detect HTTP Method of Referer?

Posted: Fri Mar 09, 2007 8:24 pm
by JAB Creations
I can detect if the page has a referer...

Code: Select all

if(isset($_SERVER['HTTP_REFERER']))
What I'm not sure about is how to detect an HTTP method of the referer.

I've tried...

Code: Select all

if (isset($_POST))
...and...

Code: Select all

if (!isset($_POST))
...and I get a false positive or a true negative or whatever. Echoing $_POST just spits out "array". What am I doing wrong?

*Edit* I always find stuff after I post though I'm still a bit baffled, HttpMessage::getRequestMethod. How can I echo that out? Here is an example I've tried...

Code: Select all

echo '<b>' . $_SERVER['getRequestMethod'] . '</b>';

Posted: Fri Mar 09, 2007 8:36 pm
by feyd
$_SERVER['REQUEST_METHOD']

Posted: Fri Mar 09, 2007 8:40 pm
by JAB Creations
So close yet so far away! Is there some golden rule I should know about for using HTTP extensions?
http://us3.php.net/http

Thanks!

Posted: Fri Mar 09, 2007 8:49 pm
by feyd
Sorry, what?

Posted: Fri Mar 09, 2007 8:53 pm
by JAB Creations
I was looking at this page...
http://us3.php.net/manual/en/function.H ... Method.php

The refering page listed this...
HttpMessage::getRequestMethod — Get request method

at...
http://us3.php.net/http

I initially tried...

Code: Select all

echo $_SERVER['getRequestMethod']
and...

Code: Select all

echo $_SERVER['HttpMessage::getRequestMethod']
I'm missing the part where I'm supposed to remove HttpMessage::get from the equation?

Posted: Fri Mar 09, 2007 8:57 pm
by feyd
The reference you are looking at is for a set of classes available in PHP 5 and functions for PHP 4.

Posted: Fri Mar 09, 2007 9:01 pm
by JAB Creations
So I'm looking at something completely different?

Here is a better question for me: what words would best find what I was looking for in Google? The better I know how to research on my own the fewer questions I have to ask. :wink:

Thanks again. :D

Posted: Fri Mar 09, 2007 9:31 pm
by aaronhall
The manual page "Predefined Variables covers this -- this is incidentally the first Google result for "php request method"

Posted: Sat Mar 10, 2007 2:05 am
by volka
Let's take a look at the request my browser sent to retrieve this page.
It opened a socket to the server and sent character-by-character
GET /posting.php?mode=reply&t=64809 HTTP/1.1
Host: forums.devnetwork.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: viewtopic.php?t=64809
Cookie: phpbb2mysql_data=
It sent the referer url. Or (the other way round) anything the client sends in the referer header you can find in _SERVER['HTTP_REFERER']. If the client chooses to send Referer: Mary had a little lamb then there's nothing you can do about it. There's no header defined for the method used to retrieve the referer url and standard clients will not send this kind of information. Therefore you cannot do what you want with php.

Posted: Sat Mar 10, 2007 3:12 pm
by JAB Creations
If the client sends Mary had a little lamb for their referer they're probably too drugged up to worry about not viewing my site. :lol: Seriously though people who mess with the normal settings of their computer and browser for "privacy" while doing regular surfing need to learn what constitutes a breech of privacy and to realize that the only true threat to their privacy is their potential action to type their name or other personally identifiable information to a website.

Posted: Sat Mar 10, 2007 3:23 pm
by feyd
Referral information is optional and should be treated that way.

Your name is not the only thing that can divulge information.

http://yro.slashdot.org/article.pl?sid= ... 3&from=rss

Posted: Sat Mar 10, 2007 3:36 pm
by volka
And in this case the "mary had a little lamb" thing was not meant for security resons but to illustrate that the referer information is something the client has to send (willingly) with the http request. It may send the url, but it does not send the method used to retrieve the doc.

Posted: Sat Mar 10, 2007 8:46 pm
by JAB Creations
Even in the rare instances of identified click-print identities they remain just that, click-print identities. The only way previous non-POST click-print identities could be identified without access to ISP records would be for the surfer to submit identifiable information. Until then user = X but we still don't know who X is.

By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.

Posted: Sat Mar 10, 2007 9:43 pm
by feyd
So long as your script doesn't break or die because someone doesn't supply you with referral information, it's perfectly fine to check, but if it breaks functionality, that's not very nice, no matter how you play it.

Posted: Sun Mar 11, 2007 3:46 am
by volka
JAB Creations wrote:By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.
Are you concerned about man-in-the-middle attacks or faulty server setups (allowing http where https should be necessary)?
Bad-guy could send the referer you want and for ssl-or-not take a look at
Server variables: $_SERVER wrote:'HTTPS'

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.