0

What i want to do is that when the request is made from any server I want to get the referrer url so I can check if this url is allowed to access my file or not, I have some plugins and on update check on admin side they will check versions connecting my site. So, the plugins are registered with clients site.

Here is my curl code sends referrer but I want to send referrer secretly so no one can change my code easily. 

public function checkUpdate($task , $product) {

$parameters = array(
                'task' => $task,
                'product' => $product,
                'domain' => $_SERVER['HTTP_HOST']
            );


$curl = curl_init();
$parameters_str = '';

$url = "http://example.com";

foreach ($parameters as $key => $value) {
  $parameters_str .= "$key=$value&";
}

$url .= "?$parameters_str";

curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);

$result = curl_exec($curl);
curl_close($curl);

return $result;
}

I hope you understand me. Or if you have better solution to do this work like check license of my clients then it will be great! Please also let me know if you think the question is not good or not explaining well in comments.

Thanks in advance.

mubashermubi
  • 8,846
  • 4
  • 16
  • 30
  • What do you mean by `but I want to send referrer secretly so no one can change my code easily.`? Do you want to send some identification/password with request? Than why do you want to use referer for it? Whatever you'll send from your server is between your server and the remote one. `to do this work like check license of my clients then` only via normal encryption and them it does not matter how you are sending it. – Cheery Oct 27 '14 at 05:33
  • @Cheery ignore this line and can you please help me out for sending clients domain secretly? Thats it. BTW I want to send my clients domain secretly so no one can easily see how this license check code is working as i want to check the domain of client. (: – mubashermubi Oct 27 '14 at 05:36
  • Any reason why you can't send the data using $_POST? Then you don't need to hide the referral id in the query string. See [here](http://stackoverflow.com/questions/28395/passing-post-values-with-curl) for how to send data using $_POST. – arkyc Oct 27 '14 at 05:38
  • The simple sniffer or firewall will show all your requests. And they are not needed if your script is not encrypted and available with open source. – Cheery Oct 27 '14 at 05:38
  • @Cheery there is only one identification which is clients domain because the plugin is only allowed to use on one domain. so my code will check the domain of client and send the response weather or not this domain can use this plugin. – mubashermubi Oct 27 '14 at 05:38
  • @Cheery Can you suggest me some codes as I am not good enough in cURL. it will be helpful. Thanks – mubashermubi Oct 27 '14 at 05:40
  • @arkyc thanks so in this way Can I get the referral url easily? or let me try your suggested code first. :) – mubashermubi Oct 27 '14 at 05:41
  • @M3Dev Ok, do you mean that you want to create a backdoor, by making requests to it you will either enable or disable plugins? Or plugins will make requests to your server? In the first case you want to make custom request, looking like all others, which will get info from plugin about the license? Just submit the data in the body of POST request. – Cheery Oct 27 '14 at 05:41
  • @Cheery exactly cheery thats what i want the plugin will do automatically and itself will be disable. – mubashermubi Oct 27 '14 at 05:43
  • M3Dev, if you can send your data using $_POST, it won't be visible on the url for others to see. eg. You could do something like this. $data['ref_id'] = xxx. On the side processing your request, you would simply get the value of $_POST['ref_id] and do whatever you need to with it. – arkyc Oct 27 '14 at 05:58
  • @M3Dev you want plugin to make requests to your website? Use POST method, do not send information in the referer. If requests are made by script on a remote site to you, nobody can see it without special interest and looking into code or running sniffer. Here are the examples http://hayageek.com/php-curl-post-get/ – Cheery Oct 27 '14 at 06:01
  • @arkyc there is no any special id information the domain of my client is the verification id so i want to send or get the domain of my client secretly. – mubashermubi Oct 27 '14 at 06:02
  • @Cheery yap you are right but I am trying to find a way so that I can send the clients domain secretly without using params like i did in my code. in my code currently any one can change the $_SERVER['HTTP_HOST'] to any domain which is registered with clients information and then the code will run so it will ruin my business. – mubashermubi Oct 27 '14 at 06:05
  • 1
    @M3Dev The problem is not related to the referer field. There is no way to do it in php except of encoding the code with, for example, http://www.zend.com/en/products/guard All other ways, if your code is open, are easy to bypass. Or by using some kind of a good obfuscation. Otherwise your code can be modified. And there is no other way to get the domain on which the script is running. – Cheery Oct 27 '14 at 06:09
  • @Cheery thanks cheery. :) You helped me alot. – mubashermubi Oct 27 '14 at 06:13

1 Answers1

0

If I haven't made any silly mistakes, this should do it:

Request Side

public function checkUpdate($task , $product) {

$referral id = 'abcd12345';

//you already had an array of parameters. I just added a referral id parameter. You can then pass  
//this array as $_POST.
$parameters = array(
            'task' => $task,
            'product' => $product,
            'domain' => $_SERVER['HTTP_HOST'],
            'ref_id' => $referral id
        );




$url = "http://example.com";

//unsure of any other curl parameters you need.
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $parameters);


$result = curl_exec($curl);
curl_close($curl);

return $result;
}

On Server side doing processing. I assume it's in index file of example.com?

if (isset($_POST['ref_id'])) 
{
   //do whatever you want with the referral id.
}

if (isset($_POST['domain'])) 
{
   //do whatever you want with domain.
}
arkyc
  • 149
  • 6