checking page referer in PHP

[Sridhar_Rao]

I have a page say result.php, which must be displayed only after a visitor fills in a form (reg.php). Even if the user visits result.php by typing the url, he must be directed to the registration page (reg.php). I am using page referer ($referer = $_SERVER['HTTP_REFERER']; )to see if the user came via the registration page or not.

This code works fine, but there is a problem. In the result.php page there is form which uses <?php echo $_SERVER['PHP_SELF']; ?>" method="post" to reload the page. At this stage the page checks once again if it has come from the refrerer and sends the page back to the registration page.

To check this I am using this script in the head of the html PHP Code:

<?php 
if (!isset($ok)){
 $referer = $_SERVER['HTTP_REFERER']; 
 if ($referer != 'reg.php'){ 
  header('Location: reg.php'); 
 }else{
 $ok=1;
 }
} 
?>

If the user visits result.php for the first time, script would check if $ok is set, if it is not, he is directed to reg.php. When the user fills in reg.php and is directed to result.php, the script checks $ok (which is not set) but is directed from the correct location, so $ok is set to 1 and the page loads normally.

when the page reloads via a form, the page checks if $ok is set (actually it has been set to 1) and the page should load normally. But this is not happening, it is getting directed back to reg.php.
What is wrong?

It is still not working

 

[victor_rambo]

Possible reason for the error is because referrer is not 'reg.php' but its '*www.domian.com/ref.php'.

Just a couple of suggestions:
Don't rely on the referrer.
1. The browser may not always send the referrer.
2. The referrer may be spoofed or be purposely set to send the wrong information.

This may lead to a genuine submission being redirected to the form filling page and the form may never be submitted successfully.

Instead use sessions. Set a session variable. Set a session variable on the page that contains the form. On the form processing page, check if that session variable is set and let the process proceed accordingly.

Its very easy to integrate sessions into your script.
At the top of your form page, simply add the below snippet. The rest of the code on the page should remain unchanged.

<?php
session_start();
$_SESSION['allow_form_to_be_submitted']=1;
?>

Now add the below snippet to the form processing page. Even here, the rest of the content remains unchanged.

<?php
session_start();
if($_SESSION['allow_form_to_be_submitted']==1)
{
//process the inputs of the form
}
else
{
//redirect the user to the form filling page.
}
?>

Again, remember to add them to the 'top' of the page. Adding them anywhere in between may result in an ugly error.

 

[amitava82]

Here is how you can achieve this. Say, in your reg.php page you have form1 and with a button name 'submit1' and in result.php page you have 2nd form with button name 'submit2'.

<?php
//Check if form1 was submitted
if (isset($_POST['submit1'])){
// If yes, do validation and process form data..
	}
else {
// If form 2 is not submitted i.e., user directly landed on this page
if (!isset($_POST['submit2'])){
//redirect to reg.php page
	header('Location: reg.php');
	exit;
 	}
//Process form 2
}
?>

So, when a user directly lands on result.php page, since the form on this page was not submitted, he/she gets redirected to reg.php page. Now here are couple of things you should do:

1. Process any data you receive from forms and validate them. It's very important!
2. If you want to process the data received from both the forms together, its necessary to store the values as session data or variable.
3. If you are using session variable, DO destroy them [session_destroy();] whenever necessary. If you try Rohan's example, you will see that at the first try user will be redirected to reg.php page but in subsequent tries users will NOT be redirected to reg.php page because session variable is still set to 1

 

[Sridhar_Rao]

Thank you guys for the reply. I think I had left out important info in my thread, please go through this and let me know if your solution is still the same.

The first page where the user fills in registration detail is not a php file as I mentioned, it is reg.htm file with no php script running in it. My server is windows based and does not handle php for sending forms to email, hence I am using vbscript to handle this.

<form name="test" method="post" action="scripts/cdosys.asp">
<input name="_redirect" type="hidden" value="*www.xxx.com/result.php" />

This script sends the user input to my email and redirects to result.php.
Will the submit button in reg.htm be recognized in the result.php as $_POST['submit'], can your suggestions work in this scenario?

 

[victor_rambo]

I don't know anything about ASP, but as far as your .htm extension is concerned, you can change that to .htm.php