如何在PHP中正确使用$ _SERVER ['HTTP_REFERER']?
Lets say i have two pages page1.php and page2.php and i want page2.php to be displayed only if it is redirected form page1.php and i inserted this code to page2.php
if($_SERVER['HTTP_REFERER'] == "page1.php")
{
//keep displaying page2.php
}else{
//if it is not redirected from page1.php
header('Location:page1.php')
//redirect the user back to page1.php
}
this code worked fine until i have a form and a submit button on page2.php when the submit button is clicked the page refreshes which means the HTTP_REFERER will change to page2.php so my if statement fails and it takes me back to page1.php i don't want that to happen. Is there any way to prevent this from happening?
Thanks in advance.
假设我有两页 这个代码工作正常,直到我在 提前致谢。 p>
div> page1.php code>和 page2.php 并且我希望 page2.php code>仅在从 page1.php code>重定向时显示,并且我将此代码插入 page2.php code > p>
if($ _ SERVER ['HTTP_REFERER'] ==“page1.php”)
{
//继续显示page2.php
}其他{\ n //如果没有从page1.php
header重定向('Location:page1.php')
//将用户重定向回page1.php
}
code> pre> \ n
page2.php code>上有一个表单和一个提交按钮,当单击提交按钮时页面刷新,这意味着 HTTP_REFERER code> 将更改为 page2.php code>所以我的 if语句 code>失败,它将我带回 page1.php code>我不希望这种情况发生。 有没有办法防止这种情况发生? p>
I wouldnt recommend using HTTP_REFERER:
It's fairly simple to manipulable in browser.
Some users might have security settings in their browser to not send this header at all.
It's not accessible over HTTPS.
Some proxies strip this header from the request
added - see answer to this quesion
As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.
page1.php:
$_SESSION[ 'display_page2' ] = TRUE;
//rest of the content
page2.php:
if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) {
//keep displaying page2.php
} else {
header('Location:page1.php');
exit;
}
With isset( $_POST[ 'some_form_input' ] ), you can check whether the form has been sent (via POST method).
When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] ); or by setting it to different value.
<?php
if(($_SERVER['HTTP_REFERER'] == "page1.php") || (isset($_POST['submit']) && $_SERVER['HTTP_REFERER']=="page2.php"))
{
//keep displaying page2.php
}else{
//if it is not redirected from page1.php
header('Location:page1.php');
//redirect the user back to page1.php
}
?>
if the referrer is not page 1 you could check the condition if referrer = page2 and post is submitted. or check if the referrer is page1 or post is submitted. this is a possibility to avoid your problem.
I advise against using $_SERVER['HTTP_REFERER'] as it can be easily spoofed.
Instead , you could set a cookie when they load page 1 using setcookie("page1", 1); before any markup is output. Then check for it on page 2 using
if(isset($_COOKIE['page1']))
{
//keep displaying page2.php
}else{
//if it is not redirected from page1.php
header('Location:page1.php')
//redirect the user back to page1.php
}
By not specifying the expiry date the cookie will expire when the browser is closed. In this situation, using cookies also makes for much more readable code to others.
<?php
/*
this page allows links from the following pages
public.php?id=links
private.php?id=links
don't allow if visitors come from anywhere else
this example would only work if I used the entire URL in the 'if' statement
*/
$referringpage = $_SERVER['HTTP_REFERER'];
if ( $referringpage == "http://www.example.com/public.php?id=links" ) {
$pass = "yes";
} elseif ( $referringpage == "http://www.example.com/private.php?id=links" ) {
$pass = "yes";
} else {
$pass = "no";
}
if ( $pass == "yes" ) {
// do the function this page was made to do
}
header( "Location: http://www.example.com/public.php?id=links" );
?>