PHP HTTP Referrer

php post referrer

23,921

Solution 1

You spelled Referer correctly. It should be:

$_SERVER['HTTP_REFERER']

Solution 2

$_SERVER['HTTP_REFERER']

with a single R, try var_dump($_SERVER) for more info.

Solution 3

This works for me pretty well:

https://stackoverflow.com/a/17958676/2635701

<form action="http://www.yourdomain.com/subscribe" 
   method="POST" 
   onsubmit=
      "document.getElementById('www.yourdomain.com.referrer').value=window.location;" >
    <!-- hidden input for field starts with a domain registered by you 
    just so that it's unlikely to clash with anything else on the page -->
    <input type="hidden" id="www.yourdomain.com.referrer" name="referrer"/>
    your email: <input name="email" type="text"/>
    ... rest of form ...
    <input type="submit" value="Subscribe"/>
</form>

Solution 4

You are right that the referrer is easy to spoof, however there is a better solution. Read the ipn documentation in which they mention validation mechanisms. Never trust the user.

View more solutions

23,921

Author by

aaronfarr

Updated on January 16, 2020

Comments

aaronfarr over 4 years

I have a page which accepts POSTs from a remote site. I would like to detect the domain that these POSTs are coming from. I realize that it can be spoofed but it is better than nothing. I have tried accessing the HTTP_REFERER variable but it just returns null.

The page accepts POSTs from sources like PayPal (instant payment notifications) and other payment gateways.

How can I get the referring call?
aaronfarr over 13 years

Thanks, that was a typo in the question. Still not returning anything in the code. Strange!
AbiusX over 13 years

Referrer is the english word, but in PHP its Referer.
AbiusX over 13 years

It might simply be null. Not all browsers send referers
aaronfarr over 13 years

Thanks. Have implemented the IPNs properly. But I would like to use the same page to filter other IPNs other than paypal. So using the referer seemed like a logical way of doing it. Any suggestions how this could be done?
Dũng Trần Trung almost 8 years

What if javascript is disabled?
Jordan over 5 years

Fun Fact: The misspelling of referrer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification.[4] The misspelling was set in stone by the time of its incorporation into the Request for Comments standards document RFC 1945; document co-author Roy Fielding has remarked that neither "referrer" nor the misspelling "referer" were recognized by the standard Unix spell checker of the period. Source: [en.wikipedia.org/wiki/HTTP_referer]