Posted by Gordon Burditt on 05/08/06 18:32

>Is it possible, with php, to figure out what the "calling url" is ?
>
>Let's say I have a track.html (with some php code) and if someone
>clicks on a link to track.html I want to see the url where that visitor
>came from.
>
>can that be done ?

$_SERVER['HTTP_REFERER'] can be used BUT it's sent by the browser
so it can easily be faked or deleted. This is one of the most
mucked-with variables on the web, even more than cookies. Many
Windows firewalls delete it and their owners couldn't re-enable it
to save their lives (even though that setting is usually in there
somewhere). CURL provides a way to send a fake one. And, of course,
a fake one can be sent by manually typing HTTP headers into telnet.

If you're trying to use it to get an idea where visitors come from,
it might work well enough for your purposes. If you're trying to
prevent references to images on your site from other sites, it's
easy to defeat and it will break your site for legitimate users.
If you think it's a way to detect bots, it's doomed to failure. If
you think it's a way to secure your site with Javascript input
parameter checking only on YOUR form and you can prevent people
from copying your form and altering it, your security is hopelessly
broken.
Gordon L. Burditt

[Back to original message]