$_SERVER['HTTP_REFERER']; Returning .css file when trying to make referral script

Question

Ok so I am trying to make it so users can refer others using the domainname followed by their username.

My site works using Iframes so index.php actually loads home.php in an iframe, where a new user can enter their details, upon which they are submitted to the database.

In index.php I have:

<?php
    session_start();
    $ref = $_SERVER['HTTP_REFERER'];
    $_SESSION['abc'] = $ref;
?>

A user then enters their info and submits in which home.php adds them to the database. Home.php has the follwing code:

session_start(); //at the top of the file followed by some other code

//If they are a new users. lets say they clicked a referral link in which 'referredby' would show domainname.com/referrerUserName

 if (isset($_SESSION['abc'])) {
                                    //insert new user
$run = mysql_query("INSERT INTO ".MYSQLTABLE."(id, address, ip, date, time, referredby) VALUES('','" . $_POST['address'] . "','" . $_SERVER['REMOTE_ADDR'] . "', '".date("Y-m-d")."', '".date("D")."', '".$_SESSION['abc']."')");

                            } 
    else {
        echo 'error';
    }

They are added ok but in the 'referredby' column this is returned: http://domainname.com/screens.css When it should show http://domainname.com/?r=ReferrersUserName

Any help would be great! Yes I will be changing to SQLI

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jul 11 '14 at 15:49
Please do some research on how unreliable the HTTP referrer is – and then stop using it for anything halfway serious. — CBroe, Jul 11 '14 at 16:08
Do you have `url(index.php)` anywhere in `screens.css`? Do you have any other scripts that update `$_SESSION['abc']`, and are they referenced in `screens.css`? — Barmar, Jul 11 '14 at 16:27
screens.css just defines the header, footer, sides etc. No mention of any pages. $_SESSION['abc'] is purely just where I mentioned. — user3345992, Jul 11 '14 at 16:49

Marcin Nabiałek · Accepted Answer · 2014-07-11T17:48:04.533

0

You should probably change:

<?php
    session_start();
    $ref = $_SERVER['HTTP_REFERER'];
    $_SESSION['abc'] = $ref;
?>

into

<?php
    session_start();
    if (!isset($_SESSION['abc']) && isset($_GET['r'])) {
      $ref = $_GET['r'];         
      $_SESSION['abc'] = $ref;
    }
?>

edited Jul 11 '14 at 17:48

answered Jul 11 '14 at 16:04

Marcin Nabiałek

109,655
42
258
291

hmm still the same problem. – user3345992 Jul 11 '14 at 16:14
@user3345992 Have you closed the browser and start it again and then checked result? – Marcin Nabiałek Jul 11 '14 at 16:22
Yep still the same thing :/ – user3345992 Jul 11 '14 at 16:46
:) Excellent! Thank you very much, works perfectly. Wish I could upvote you. – user3345992 Jul 13 '14 at 11:05
@user3345992 You can simple accept the answer and this way you mark this question as solved – Marcin Nabiałek Jul 13 '14 at 17:19
Ok fixed. Cheers again. – user3345992 Jul 14 '14 at 08:21

$_SERVER['HTTP_REFERER']; Returning .css file when trying to make referral script

1 Answers1