So my question is simple ive used the following method for allowing access to the php script via the referrer's domain name but i want to allow access for only referrers matching the full url.
<?php
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'domain.com')
{
echo "Eexcuting code here";
} else {
echo('Hot Linking Not Permitted');
// display some message / image / video
exit;
}
?>
So if the referrer url matches http://www.domain.com/page.html then allow access else if block it.
It will not be safe because referrer data can be easily spoofed. However, if it still fits your needs, then you should be fine with your code already, since $_SERVER['HTTP_REFERER']
contains the full referrer URL and not just the domain. Actually, your present code needs some adjustments because it can't work like that:
<?php
// This is to check if the request is coming from a specific domain
$ref = $_SERVER['HTTP_REFERER'];
$refData = parse_url($ref);
if($refData['host'] !== 'domain.com') {
// Output string and stop execution
die("Hotlinking not permitted");
}
echo "Executing code here";
?>
Note that if you check if HTTP_REFERER is set before checking if it's what you want, people would get to your script without any referrer set at all, so you should check it in any case. Now, checking for a specific URL is much simpler:
<?php
// This is to check if the request is coming from a specific URL
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://domain.com/page.html') {
die("Hotlinking not permitted");
}
echo "Executing code here";
?>
What is it that you are trying to protect?
You should never trust HTTP_REFERER as it can be spoofed (as others have pointed out). Also some firewalls and security software will rewrite or remove the referer, and not all browsers report it properly.
If it's sensitive data then personally I would pass a hash between pages.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With