9

I have a page which accepts POSTs from a remote site. I would like to detect the domain that these POSTs are coming from. I realize that it can be spoofed but it is better than nothing. I have tried accessing the HTTP_REFERER variable but it just returns null.

The page accepts POSTs from sources like PayPal (instant payment notifications) and other payment gateways.

How can I get the referring call?

Improve this question
3
  • It's a typo, but apparently not yours en.wikipedia.org/wiki/HTTP_referrer Commented Mar 15, 2011 at 3:09
  • http is a stateless protocol, understand that and don't rely on something set by a browser Commented Mar 15, 2011 at 3:49
  • Agree with you fully, no IPN will be processed unless it is authenticated as people have suggested. I would just like a way to know where the request came from so I know which authentication to use. Commented Mar 15, 2011 at 15:02

4 Answers 4

Reset to default
10

You spelled Referer correctly. It should be:

$_SERVER['HTTP_REFERER']
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Referrer is the english word, but in PHP its Referer.
Fun Fact: The misspelling of referrer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification.[4] The misspelling was set in stone by the time of its incorporation into the Request for Comments standards document RFC 1945; document co-author Roy Fielding has remarked that neither "referrer" nor the misspelling "referer" were recognized by the standard Unix spell checker of the period. Source: [en.wikipedia.org/wiki/HTTP_referer]
6 
$_SERVER['HTTP_REFERER']

with a single R, try var_dump($_SERVER) for more info.

Improve this answer

2 Comments

Thanks, that was a typo in the question. Still not returning anything in the code. Strange!
It might simply be null. Not all browsers send referers
2

You are right that the referrer is easy to spoof, however there is a better solution. Read the ipn documentation in which they mention validation mechanisms. Never trust the user.

Improve this answer

1 Comment

Thanks. Have implemented the IPNs properly. But I would like to use the same page to filter other IPNs other than paypal. So using the referer seemed like a logical way of doing it. Any suggestions how this could be done?
2

This works for me pretty well:

https://stackoverflow.com/a/17958676/2635701

<form action="http://www.yourdomain.com/subscribe" 
   method="POST" 
   onsubmit=
      "document.getElementById('www.yourdomain.com.referrer').value=window.location;" >
    <!-- hidden input for field starts with a domain registered by you 
    just so that it's unlikely to clash with anything else on the page -->
    <input type="hidden" id="www.yourdomain.com.referrer" name="referrer"/>
    your email: <input name="email" type="text"/>
    ... rest of form ...
    <input type="submit" value="Subscribe"/>
</form>
Improve this answer

1 Comment

What if javascript is disabled?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.