Jump to content

only allow access to a page if coming from a certain url or website


j5uh

Recommended Posts

I have a page where people can subscribe to a subscription service. This page is accessible by the internet if you just typed the url in.

 

What I was wondering, is there a way I can use .htaccess to only allow that page to show if your coming from a paypal website...  I know there should be a way to do this...  :-X

Link to comment
Share on other sites

You can do it w/ php

<?php
$allowed_referer = array("http://paypal.com", "http://phpfreaks.com"); //add the allowed sites in this array
$referal = $_SERVER['HTTP_REFERER'];
if (in_array($referal, $allowed_referer)){
//let them hit this page
}
else{
//send them somewhere
}
?>

Link to comment
Share on other sites

so would i code it this way...

 

<?php
$allowed_referer = array("http://paypal.com", "http://phpfreaks.com"); //add the allowed sites in this array
$referal = $_SERVER['HTTP_REFERER'];
if (in_array($referal, $allowed_referer)){
//let them hit this page
all my html code goes here

}
else{
do I just put a forward script here? 
}
?>

Link to comment
Share on other sites

Keep in mind the end user can disable this, so it might be smart to have an 'if this page isn't working for you...' link :)

 

Also, the end user can modify the referring url, so if they really wanted to they could access the page and spoof a fake referrer to get past your check.

 

If the referring page is internal, sessions are a GREAT way to combat this :)

Link to comment
Share on other sites

Be aware that HTTP_REFERER can be modified by the user. But generally it would work (if a few users getting "unauthorized" access is OK). If you want to match someone coming from paypal.com, with or without possible sub domains and/or pages aside from the front page, you can use preg_match():

 

<?php
$referal = $_SERVER['HTTP_REFERER'];
if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) {
//they come from paypal.com
} else {
//they don't
}
?>

 

I don't think the other script posted will work, since the URLs are short of a trailing slash and the "https" scheme. But I guess you were supposed to fill in the exact URLs yourself :)

Link to comment
Share on other sites

Be aware that HTTP_REFERER can be modified by the user. But generally it would work (if a few users getting "unauthorized" access is OK). If you want to match someone coming from paypal.com, with or without possible sub domains and/or pages aside from the front page, you can use preg_match():

 

<?php
$referal = $_SERVER['HTTP_REFERER'];
if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) {
//they come from paypal.com
} else {
//they don't
}
?>

 

I don't think the other script posted will work, since the URLs are short of a trailing slash and the "https" scheme. But I guess you were supposed to fill in the exact URLs yourself :)

 

So this script here is better with preg_match?

so if someone made a payment on paypal, they would be forwarded to this page and it should allow them to access it right?

 

I have no problem with just a few people sneaking by... I will review the list every couple weeks to make sure people have paid...

Link to comment
Share on other sites

so could I do this?

 

<?php
$referal = $_SERVER['HTTP_REFERER'];
if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) {

<html>
<body>paid content here</body>
<html>

} else {

<html>
<body>you must pay first... </body>
<html>

}
?>

Link to comment
Share on other sites

Your syntax is wrong, it could look like this:

 

<?php
$referal = $_SERVER['HTTP_REFERER'];
if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) {
?>
<html>
<body>paid content here</body>
<html>
<?php
} else {
?>
<html>
<body>you must pay first... </body>
<html>
<?php
}
?>

 

I'm not very familiar with PayPal, but isn't there some secure way to deal with this? It should be an obvious feature to buy access to certain pages.

Link to comment
Share on other sites

Yes, it's better if you wanna allow anyone from anywhere on paypal.com. But as discomatt says, it won't work for users who have turned the 'referer' option off (but who have that??).

 

I do. I don't see why a website should know what page I'm coming from if it's not theirs.

Link to comment
Share on other sites

I didn't see a mention of this, and I feel it's important enough to say:

 

'HTTP_REFERER' can be turned off, and should not be considered trustworthy, not only (as was mentioned) because some users can be denied access, but more importantly because the header can be "spoofed" and a person can gain access without actually having come from the paypal (or other) site.

 

If you are barring access because you are expecting someone to have paid for something, it is well worth your money to look into (or pay someone else to look into) the official PayPal APIs.

Link to comment
Share on other sites

honestly, i wish it was easier to integrate paypal into a form.. but i have no experience with API's...

 

It is very easy to integrate PayPal. Have you even looked at their API?

 

I didn't see a mention of this, and I feel it's important enough to say:

 

'HTTP_REFERER' can be turned off

 

Keep in mind the end user can disable this, so it might be smart to have an 'if this page isn't working for you...' link :)

 

But as discomatt says, it won't work for users who have turned the 'referer' option off

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.