Page 1 of 1
Get URL of webpage that called the script?
Posted: Sun May 16, 2010 4:08 pm
by Seymour Clufley
If a webpage calls a PHP script on another server, is there any way to obtain the URL of the webpage from inside the PHP script?
I've found solutions that obtain the URL of the PHP script itself, but not that of the webpage in which the script is embedded. For security reasons the URL has to be obtained with code, not by including it as a parameter when calling the script.
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 4:19 pm
by Benjamin
If I understand what you are trying to do, it will not be possible at the PHP code layer.
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 4:58 pm
by Seymour Clufley
Benjamin wrote:If I understand what you are trying to do, it will not be possible at the PHP code layer.
Oh, damn... okay, I'll explain what I'm aiming for. If you can suggest a way to achieve it I'd be very grateful indeed!
Someone's webpage -> calls a PHP script on my server -> I need to know that the person is "authorised" before proceeding with the rest of the PHP script -> I'd like to do that via their website's domain.
If I used a password parameter, someone else could download the customer's webpage, get the password parameter and use it themselves. That's the problem.
Can you think of a way round this?
Again, I appreciate any help. PHP is confusing for a beginner!
Seymour.
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 5:01 pm
by Benjamin
How exactly is the script being accessed?
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 7:29 pm
by Seymour Clufley
The person includes this in their webpage:
Code: Select all
<SCRIPT src="http://www.seymourswebsite.com/thescript.php?member=[theirmembercode]" type="text/javascript"></SCRIPT>
The script has a JavaScript header, and fills a JS variable on the person's webpage with some info.
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 7:54 pm
by Benjamin
Yeah I don't know of any way to do what you are wanting to do. You'll more than likely need to look into a different approach.
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 7:59 pm
by Eran
The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
http://www.php.net/manual/en/reserved.v ... server.php
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 10:18 pm
by Seymour Clufley
pytrin wrote:The address of the calling machine should be in $_SERVER['REMOTE_ADDR']
Thanks, but it's not their IP address I want. It's the URL they're currently looking at.
What about if the script injects a second call to itself in the webpage, but this time appending "document.URL" as an additional parameter?
Re: Get URL of webpage that called the script?
Posted: Sun May 16, 2010 11:21 pm
by Benjamin
That method could very easily be circumvented.
Re: Get URL of webpage that called the script?
Posted: Mon May 17, 2010 6:25 am
by Seymour Clufley
Benjamin wrote:That method could very easily be circumvented.
Right, but how would it be circumvented?
I could implement a tokening system so that the second call to the script would only be accepted if it had the token created by the first call.
Re: Get URL of webpage that called the script?
Posted: Mon May 17, 2010 6:54 am
by Apollo
What you're looking for is the referrer, which is in $_SERVER['HTTP_REFERER'].
This is a very bad idea however, because
1) not all browsers support this ("browser" in the wider sense, which may also include stuff like a PHP server using connecting functions, such as curl or fsockopen, etc).
2) this can be explicitly disabled in most browsers (and quite some people do, including me).
3) the presence and contents of the referrer info depends ONLY on the visitor (it's simply a field in the HTTP header), and hence is VERY easy to fake. Really.
Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server). No matter what kind of authentication trickery you apply, any user visiting your member's page is essentially downloading the script himself (because his browser needs to execute it one way or the other). And hence anyone can publish, spread, change or abuse it in any way they wish.
Sorry

Re: Get URL of webpage that called the script?
Posted: Mon May 17, 2010 5:10 pm
by Seymour Clufley
Apollo,
Thanks for all the advice about HTTP_REFERER, but what about the other method (using the JS document.url variable)?
Anyway, you won't be able to restrict your script to be used by registered members only, if you somehow allow them to include it remotely (which is what you're doing if you want them to use a .js script from your server).
It's a PHP script with
header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?
Re: Get URL of webpage that called the script?
Posted: Mon May 17, 2010 5:28 pm
by Benjamin
You cannot protect a Javascript file from being reverse engineered, period. You can barely do it with PHP.
Re: Get URL of webpage that called the script?
Posted: Mon May 17, 2010 8:00 pm
by Seymour Clufley
Okay, that's really quite disappointing. I'll try something else.
Re: Get URL of webpage that called the script?
Posted: Tue May 18, 2010 5:12 am
by Apollo
Seymour Clufley wrote:but what about the other method (using the JS document.url variable)?
Same problem. JS is purely a client-side thing, therefore it can be spoofed.
It's a PHP script with header('Content-type: application/javascript') at the start. Will that still be downloaded to the client machine?
The output (i.e. the actual javascript) that it generates, yes.