1

I'm having a simple PHP page that generates random json values and returns it to the user. I want to know what website is using this page to get data using curl or javascript. for example:

the PHP page:

$datas['random'] = ['firstValue'=>'Hello', 'secondValue'=>'world'];
header('Content-Type: application/json');
echo json_encode($datas);

now that code will return this value

{"random":{"firstValue":"Hello","secondValue":"world"}}

what I want to do is: if someone used this file in his website using curl or javascript I want to be able to know which website is using it and what website requested it.

if the website http://example.com used this code in the website 

var xhttp = new XMLHttpRequest();

                  xhttp.onreadystatechange = function () {
                      if (this.readyState === 4) {
                          if (this.status === 200) {
                              resolve(this.responseText);
                          } else if (this.response == null && this.status === 0) {
                              var reason = new Error('OFFLINE');
                              reject(reason);
                          } else {
                              var reason = new Error('ERROR');
                              reject(reason);
                          }
                      }
                  };


              xhttp.open("GET", "jsonpage.php", true);
              xhttp.send();

I want to be able to know that the website http://example.php requested the file, without using extra value jsonpage.php?website=example.com

is there any way to do it using PHP.

Hp_issei
  • 579
  • 6
  • 18
John Doe
  • 29
  • 3
  • 2
    You can't get that info unless the client sends you that information. You _could_ use the header `$_SERVER['HTTP_REFERER']`, but that one can be modified by the client and isn't always set. Other than that, you can't really know what site sent the request without passing some parameter. If it's cURL, then you can check their IP and try to do a reverse lookup, but if they are using JS, then you will get the clients IP instead so that won't work then. – M. Eriksson Mar 04 '19 at 06:38
  • 1
    that will work for a bit cuz the main idea is to check the registered (whitelist) websites and see if the request comes from one of them, no one will know what whitelist websites are so i guess this will work for abit. – John Doe Mar 04 '19 at 06:41
  • 1
    It seems like something you should use OAuth or some form of API key system for. – ArtisticPhoenix Mar 04 '19 at 06:44
  • 1
    @ArtisticPhoenix what if i'm building my api system and wanna know where requests coming from ? – John Doe Mar 04 '19 at 06:47
  • 1
    Any other website can not request your data using client-side JavaScript, unless you explicitly make that possible in the first place - keyword CORS. So in that case, you know the _origin_ of the request already. – 04FS Mar 04 '19 at 08:18
  • @04FS yea i'm allowing it using JS and CURL basically it will be access using anything – John Doe Mar 04 '19 at 11:35
  • So for the client-side requests, log the `Origin` request header - then you’ll know which websites make cross-domain requests. – 04FS Mar 04 '19 at 11:43

2 Answers2

1

You can check the IP address of the party making the call to jsonpage.php, but to the best of my knowledge, not the domain.

$_SERVER['REMOTE_ADDR'] contains the real IP address of the connecting party. That is the most reliable value you can find.

However, they can be behind a proxy server in which case the proxy may have set the $_SERVER['HTTP_X_FORWARDED_FOR'], but this value is easily spoofed. For example, it can be set by someone without a proxy, or the IP can be an internal IP from the LAN behind the proxy.

Finally, if your concern is that only some people should have access to jsonpage.php, I suggest you implement either a public/private API key or oAuth to ensure only the right people have access.

Further reading: How to get the client IP address in PHP

dearsina
  • 4,774
  • 2
  • 28
  • 34
0

you can using $_SERVER['HTTP_REFERER'] which will gives you which website is getting your info's but it's not really reliable because it's easy to change from the source.

Youssef Al Subaihi
  • 138
  • 2
  • 11