PHP HTTP Referrer

Question

I have a page which accepts POSTs from a remote site. I would like to detect the domain that these POSTs are coming from. I realize that it can be spoofed but it is better than nothing. I have tried accessing the HTTP_REFERER variable but it just returns null.

The page accepts POSTs from sources like PayPal (instant payment notifications) and other payment gateways.

How can I get the referring call?

It's a typo, but apparently not yours http://en.wikipedia.org/wiki/HTTP_referrer — Kenji Kina, Mar 15 '11 at 03:09
http is a stateless protocol, understand that and don't rely on something set by a browser — , Mar 15 '11 at 03:49
Agree with you fully, no IPN will be processed unless it is authenticated as people have suggested. I would just like a way to know where the request came from so I know which authentication to use. — aaronfarr, Mar 15 '11 at 15:02

score 9 · Answer 1 · answered Mar 15 '11 at 03:06

9

You spelled Referer correctly. It should be:

$_SERVER['HTTP_REFERER']

answered Mar 15 '11 at 03:06

Matthew Flaschen

278,309
50
514
539

1

Referrer is the english word, but in PHP its Referer. – AbiusX Mar 15 '11 at 03:08
Fun Fact: The misspelling of referrer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification.[4] The misspelling was set in stone by the time of its incorporation into the Request for Comments standards document RFC 1945; document co-author Roy Fielding has remarked that neither "referrer" nor the misspelling "referer" were recognized by the standard Unix spell checker of the period. Source: [https://en.wikipedia.org/wiki/HTTP_referer] – Jordan Oct 31 '18 at 19:47

score 6 · Answer 2 · answered Mar 15 '11 at 03:06

6

$_SERVER['HTTP_REFERER']

with a single R, try var_dump($_SERVER) for more info.

answered Mar 15 '11 at 03:06

AbiusX

2,379
20
26

Thanks, that was a typo in the question. Still not returning anything in the code. Strange! – aaronfarr Mar 15 '11 at 03:08
It might simply be null. Not all browsers send referers – AbiusX Mar 15 '11 at 03:14

score 2 · Answer 3 · edited May 23 '17 at 12:08

This works for me pretty well:

https://stackoverflow.com/a/17958676/2635701

<form action="http://www.yourdomain.com/subscribe" 
   method="POST" 
   onsubmit=
      "document.getElementById('www.yourdomain.com.referrer').value=window.location;" >
    <!-- hidden input for field starts with a domain registered by you 
    just so that it's unlikely to clash with anything else on the page -->
    <input type="hidden" id="www.yourdomain.com.referrer" name="referrer"/>
    your email: <input name="email" type="text"/>
    ... rest of form ...
    <input type="submit" value="Subscribe"/>
</form>

What if javascript is disabled? – Dũng Trần Trung Sep 08 '16 at 05:30 — Dũng Trần Trung, Sep 08 '16 at 05:30

score 2 · Answer 4 · answered Mar 15 '11 at 03:09

2

You are right that the referrer is easy to spoof, however there is a better solution. Read the ipn documentation in which they mention validation mechanisms. Never trust the user.

answered Mar 15 '11 at 03:09

Mike Lewis

63,433
20
141
111

Thanks. Have implemented the IPNs properly. But I would like to use the same page to filter other IPNs other than paypal. So using the referer seemed like a logical way of doing it. Any suggestions how this could be done? – aaronfarr Mar 15 '11 at 03:48

PHP HTTP Referrer

4 Answers4

Linked