Close Window If Referer Not Valid

[monkeybidz]

I need to close a window if referer not valid, but it cannot be in HTML, needs to be php. This is what I have so far:

 

if (ereg("http://www.mysite.com/test.php", $_SERVER['HTTP_REFERER']) != true){
header('Location: ?????????');
exit;
}

I get a header already sent message if I use a URL. I need it to close the window after 3 seconds.

 

Any ideas? :'(

[gizmola]

I'm not sure I want to know why you plan to do this, but I feel that it needs to be pointed out that referer is sent in the http header by the browser.  In other words, it is entirely up to the client whether or not it sends a referer, and by the same token it can be spoofed.

 

As to your issue with header already sent, that happens if there has been output prior to the header() call.  If you have not sent output, there is probably another reason you are getting this error -- typically some whitespace at the top of your script or some newlines in an include file.

 

The only way you can achieve behavior clientside is to utilize javascript.  If you already know that you don't want to send a page to someone, I'm mystified as to why you would send it to them in the first place. 

[monkeybidz]

Some person has been accessing this page directly while bypassing a datacheck script page and I want the form results page to close since it is a popup. So if they do not come from the original form page, I want the form to close.

[gizmola]

Some person has been accessing this page directly while bypassing a datacheck script page and I want the form results page to close since it is a popup. So if they do not come from the original form page, I want the form to close.

 

So again, you can check the referer at the top of the script you do not want them to arrive at and just not render the page or do your header('Location: ...) function.  You need to figure out why you are getting the headers already sent message!

 

Also once they determine that your only security is the referer check, they can easily spoof the referer using any number of tools and open the page directly.

 

"But Gizmola, how can I stop this?"

 

Use a php session variable! 

 

You set the session variable when they visit the required page, and then check for this variable at the top of the "secured" script.

 

Regardless of how you approach this (and I can tell you that using the referer is not the right solution)  you will need to sort out your "headers already sent" problem.

 

One hint I can provide you ...  include files do not need to have the ending "?>" tag.  If you remove it from files you include, you may find this fixes the problem with stray newlines causing output to start inadvertantly.  Otherwise, check your files for extra newlines at the bottom and top and remove any you find until the error goes away.

[monkeybidz]

There is no include file for this form. I guess I can use HTML Meta redirect instead and chop it inot php using print.

[gizmola]

Ok, let me try this one last time. 

 

You don't want to send content when someone has bypassed a required page on your site.

 

Why then, are you sending the page content when you already *know* that they should not see it in the first place?

 

Why are you avoiding figuring out the problem with your script? 

 

Please stop avoiding my question, and answer this question.

 

 

[monkeybidz]

OK! It is a simple quote HTML/PHP form with an Action to post to a results page if it passes a checkdata script. This information is then sent to me and they are sending me pure junk ads by accessing the results page directly. I looked and can't find any white space in any of the three files involved. Can't figure out why the header already sent message. No includes either.

[gizmola]

Ok so if I understand you:

 

form.php -  Your form page, with target being ...

checkdata.php - Where you validate input and then if everything is ok, you header('Location: page3.php')

page3.php

 

And page3.php is the page people are going to directly.  Does this summarize things correctly?

 

If so, let's see the code at the top of "page3.php"