Get URL of webpage that called the script?
Moderator: General Moderators
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Get URL of webpage that called the script?
If a webpage calls a PHP script on another server, is there any way to obtain the URL of the webpage from inside the PHP script?
I've found solutions that obtain the URL of the PHP script itself, but not that of the webpage in which the script is embedded. For security reasons the URL has to be obtained with code, not by including it as a parameter when calling the script.
I've found solutions that obtain the URL of the PHP script itself, but not that of the webpage in which the script is embedded. For security reasons the URL has to be obtained with code, not by including it as a parameter when calling the script.
Re: Get URL of webpage that called the script?
If I understand what you are trying to do, it will not be possible at the PHP code layer.
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
Oh, damn... okay, I'll explain what I'm aiming for. If you can suggest a way to achieve it I'd be very grateful indeed!Benjamin wrote:If I understand what you are trying to do, it will not be possible at the PHP code layer.
Someone's webpage -> calls a PHP script on my server -> I need to know that the person is "authorised" before proceeding with the rest of the PHP script -> I'd like to do that via their website's domain.
If I used a password parameter, someone else could download the customer's webpage, get the password parameter and use it themselves. That's the problem.
Can you think of a way round this?
Again, I appreciate any help. PHP is confusing for a beginner!
Seymour.
Re: Get URL of webpage that called the script?
How exactly is the script being accessed?
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
The person includes this in their webpage:
The script has a JavaScript header, and fills a JS variable on the person's webpage with some info.
Code: Select all
<SCRIPT src="http://www.seymourswebsite.com/thescript.php?member=[theirmembercode]" type="text/javascript"></SCRIPT>Re: Get URL of webpage that called the script?
Yeah I don't know of any way to do what you are wanting to do. You'll more than likely need to look into a different approach.
Re: Get URL of webpage that called the script?
The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
http://www.php.net/manual/en/reserved.v ... server.php
http://www.php.net/manual/en/reserved.v ... server.php
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
Thanks, but it's not their IP address I want. It's the URL they're currently looking at.pytrin wrote:The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
What about if the script injects a second call to itself in the webpage, but this time appending "document.URL" as an additional parameter?
Re: Get URL of webpage that called the script?
That method could very easily be circumvented.
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
Right, but how would it be circumvented?Benjamin wrote:That method could very easily be circumvented.
I could implement a tokening system so that the second call to the script would only be accepted if it had the token created by the first call.
Re: Get URL of webpage that called the script?
What you're looking for is the referrer, which is in $_SERVER['HTTP_REFERER'].
This is a very bad idea however, because
1) not all browsers support this ("browser" in the wider sense, which may also include stuff like a PHP server using connecting functions, such as curl or fsockopen, etc).
2) this can be explicitly disabled in most browsers (and quite some people do, including me).
3) the presence and contents of the referrer info depends ONLY on the visitor (it's simply a field in the HTTP header), and hence is VERY easy to fake. Really.
Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server). No matter what kind of authentication trickery you apply, any user visiting your member's page is essentially downloading the script himself (because his browser needs to execute it one way or the other). And hence anyone can publish, spread, change or abuse it in any way they wish.
Sorry
This is a very bad idea however, because
1) not all browsers support this ("browser" in the wider sense, which may also include stuff like a PHP server using connecting functions, such as curl or fsockopen, etc).
2) this can be explicitly disabled in most browsers (and quite some people do, including me).
3) the presence and contents of the referrer info depends ONLY on the visitor (it's simply a field in the HTTP header), and hence is VERY easy to fake. Really.
Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server). No matter what kind of authentication trickery you apply, any user visiting your member's page is essentially downloading the script himself (because his browser needs to execute it one way or the other). And hence anyone can publish, spread, change or abuse it in any way they wish.
Sorry
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
Apollo,
Thanks for all the advice about HTTP_REFERER, but what about the other method (using the JS document.url variable)?
Thanks for all the advice about HTTP_REFERER, but what about the other method (using the JS document.url variable)?
It's a PHP script with header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server).
Re: Get URL of webpage that called the script?
You cannot protect a Javascript file from being reverse engineered, period. You can barely do it with PHP.
-
Seymour Clufley
- Forum Newbie
- Posts: 15
- Joined: Wed Mar 19, 2008 8:34 am
Re: Get URL of webpage that called the script?
Okay, that's really quite disappointing. I'll try something else.
Re: Get URL of webpage that called the script?
Same problem. JS is purely a client-side thing, therefore it can be spoofed.Seymour Clufley wrote:but what about the other method (using the JS document.url variable)?
The output (i.e. the actual javascript) that it generates, yes.It's a PHP script with header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?