Get URL of webpage that called the script?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Get URL of webpage that called the script?

Post by Seymour Clufley »

If a webpage calls a PHP script on another server, is there any way to obtain the URL of the webpage from inside the PHP script?

I've found solutions that obtain the URL of the PHP script itself, but not that of the webpage in which the script is embedded. For security reasons the URL has to be obtained with code, not by including it as a parameter when calling the script.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Get URL of webpage that called the script?

Post by Benjamin »

If I understand what you are trying to do, it will not be possible at the PHP code layer.
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

Benjamin wrote:If I understand what you are trying to do, it will not be possible at the PHP code layer.
Oh, damn... okay, I'll explain what I'm aiming for. If you can suggest a way to achieve it I'd be very grateful indeed!

Someone's webpage -> calls a PHP script on my server -> I need to know that the person is "authorised" before proceeding with the rest of the PHP script -> I'd like to do that via their website's domain.

If I used a password parameter, someone else could download the customer's webpage, get the password parameter and use it themselves. That's the problem.

Can you think of a way round this?

Again, I appreciate any help. PHP is confusing for a beginner!

Seymour.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Get URL of webpage that called the script?

Post by Benjamin »

How exactly is the script being accessed?
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

The person includes this in their webpage:

Code: Select all

<SCRIPT src="http://www.seymourswebsite.com/thescript.php?member=[theirmembercode]" type="text/javascript"></SCRIPT>
The script has a JavaScript header, and fills a JS variable on the person's webpage with some info.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Get URL of webpage that called the script?

Post by Benjamin »

Yeah I don't know of any way to do what you are wanting to do. You'll more than likely need to look into a different approach.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Get URL of webpage that called the script?

Post by Eran »

The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
http://www.php.net/manual/en/reserved.v ... server.php
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

pytrin wrote:The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
Thanks, but it's not their IP address I want. It's the URL they're currently looking at.

What about if the script injects a second call to itself in the webpage, but this time appending "document.URL" as an additional parameter?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Get URL of webpage that called the script?

Post by Benjamin »

That method could very easily be circumvented.
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

Benjamin wrote:That method could very easily be circumvented.
Right, but how would it be circumvented?

I could implement a tokening system so that the second call to the script would only be accepted if it had the token created by the first call.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Get URL of webpage that called the script?

Post by Apollo »

What you're looking for is the referrer, which is in $_SERVER['HTTP_REFERER'].

This is a very bad idea however, because
1) not all browsers support this ("browser" in the wider sense, which may also include stuff like a PHP server using connecting functions, such as curl or fsockopen, etc).
2) this can be explicitly disabled in most browsers (and quite some people do, including me).
3) the presence and contents of the referrer info depends ONLY on the visitor (it's simply a field in the HTTP header), and hence is VERY easy to fake. Really.

Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server). No matter what kind of authentication trickery you apply, any user visiting your member's page is essentially downloading the script himself (because his browser needs to execute it one way or the other). And hence anyone can publish, spread, change or abuse it in any way they wish.

Sorry :)
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

Apollo,

Thanks for all the advice about HTTP_REFERER, but what about the other method (using the JS document.url variable)?
Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server).
It's a PHP script with header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Get URL of webpage that called the script?

Post by Benjamin »

You cannot protect a Javascript file from being reverse engineered, period. You can barely do it with PHP.
Seymour Clufley
Forum Newbie
Posts: 15
Joined: Wed Mar 19, 2008 8:34 am

Re: Get URL of webpage that called the script?

Post by Seymour Clufley »

Okay, that's really quite disappointing. I'll try something else.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Get URL of webpage that called the script?

Post by Apollo »

Seymour Clufley wrote:but what about the other method (using the JS document.url variable)?
Same problem. JS is purely a client-side thing, therefore it can be spoofed.
It's a PHP script with header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?
The output (i.e. the actual javascript) that it generates, yes.
Post Reply