$_SERVER["HTTP_REFERER"] issue

Question

I've just trying to set 'if' rules for my website, and I'm facing with little problem I want to allow:

if ($_SERVER["HTTP_REFERER"] = "http://t.co/XXXXXX")
{ allowed }

XXXXXX - unique end of each link, so I need to set that every visit, which begins with t.co would be accepted. How can I do that? Thanks in advance.

[PHP string functions](http://php.net/manual/en/ref.strings.php) — Jocelyn, Jul 22 '14 at 22:39
*"Using `HTTP_REFERER` isn't reliable, it's value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted."* - [**Read more...**](http://stackoverflow.com/a/6023980/) — Funk Forty Niner, Jul 22 '14 at 22:42
If your plan is to use referrer to implement something important such as security or some such, then you need to change your plan. HTTP_REFERRER is completely untrustworthy and can be spoofed with virtually no effort. — GordonM, Jul 22 '14 at 22:47
[`int stripos ( string $haystack , string $needle [, int $offset = 0 ] );`](http://php.net/stripos) — Daniel W., Jul 22 '14 at 22:48

brainbowler · Accepted Answer · 2014-07-22T22:56:15.233

4

Use the following snippet:

if (preg_match('/^https?:\/\/t\.co\//', $_SERVER['HTTP_REFERER'])) {
    # allowed
}

This will also match https requests, by the way.

Alternatively, you can use parse_url, like this:

$parsed = parse_url($_SERVER['HTTP_REFERER']);
if ($parsed['host'] === 't.co') {
    # allowed
}

Keep in mind though that $_SERVER['HTTP_REFERER'] might not be set or empty, thus an additional

if (isset($_SERVER['HTTP_REFERER']))

is useful in both cases.

edited Jul 22 '14 at 22:56

answered Jul 22 '14 at 22:37

brainbowler

`$_SERVER['HTTP_REFERER'` missing square bracket. – Funk Forty Niner Jul 22 '14 at 22:45
parse_url is the best answer here I reckon. – Rich Bradshaw Jul 22 '14 at 22:56

Rich Bradshaw · Answer 2 · 2014-07-22T22:55:20.810

0

Just compare the first 12 characters:

if (substr($_SERVER["HTTP_REFERER"],0,12) == "http://t.co/" || substr($_SERVER["HTTP_REFERER"],0,13) == "https://t.co/")
{ allowed }

edited Jul 22 '14 at 22:55

answered Jul 22 '14 at 22:37

Rich Bradshaw

thanks, I'll accept answer in 10 min. :) – Kasparas Taminskas Jul 22 '14 at 22:38
1

Shouldn't those be `==` instead of one? – Funk Forty Niner Jul 22 '14 at 22:50

Daniel W. · Answer 3 · 2014-07-22T23:04:57.853

0

My try:

if (stripos($_SERVER["HTTP_REFERER"], '://t.co/') === 4
 || stripos($_SERVER["HTTP_REFERER"], '://t.co/') === 5) {
    // Allowed

edited Jul 22 '14 at 23:04

answered Jul 22 '14 at 22:50

Daniel W.

3 Answers3