Jump to content
xisto Community
Sign in to follow this  
whistle

Can A PHP Page Knows Who's Linking To Itself?

Recommended Posts

Some webpage with frames that each can be assigned to link to an url path, i.e. http://forums.xisto.com/no_longer_exists/. When webpage A is requested by a browser, another webpage B containied in the frame of webpage A will be queried too.

As we know, a phpinfo() can tell us the information about the url of the webpage we get or post. When a webpage "B" is requested by the get or the post from a frame, can webpage B know the url where the webpage A locates?

I hope to know that because I wich webpage B can only be used in the frame of webpage A. If anyone request it directly, the webpage B return a something else.
For example, if someone save webpage A in his harddisk, the url of the saved page will not be the original one where the webpage A is. Thus webpage B won't be shown correctly in the frame of the saved webpage.

Can anyone tell me whether webpage B can know the url of webpage A? And how?
Or is there any other way to reach the same objective?

Share this post


Link to post
Share on other sites

...Can anyone tell me whether webpage B can know the url of webpage A? And how?

Or is there any other way to reach the same objective?

<{POST_SNAPBACK}>

whistle,

 

if I understood you right, you can use javascript to reach your objective.

Example:

Page A (iframe_a.html)

<html><head><title>Mainpage</title></head><body><h2>Mainpage</h2><iframe src="iframe_b.html" style="width:80%; height:50%"></iframe></body></html>
Page B (iframe_b.html)

<html><head><title>iFrame</title></head><script language="javascript">[tab][/tab]document.writeln("Calling page (link): "+parent.location.href+"<br />");[tab][/tab]document.writeln("Calling page (host): "+parent.location.hostname+"<br />");[tab][/tab]document.writeln("Calling page (path): "+parent.location.pathname);</script><body>...</body></html>

Just compare your.domain to parent.location.hostname to decide what to do with the page request

If parent.location.pathname has "iframe_b.html" then the iframe has been called directly.

 

Hope this is what you meant

calixt

Share this post


Link to post
Share on other sites

A PHP page can know from which page th euser came into it, ie. in which page the link was located when the user clicked it. Browsers send the pages address in the HTTP request, it is labeled HTTP referer and you can read it from the HTTP_REFERER global variable. ($_SERVER['HTTP_REFERER']:D There is a slight problem however... As the information is dependent on the browser, it is not always reliable, someone can easily send fake HTTP requests with bogus referers and some browsers and firewalls block the referer sending. So be careful when using HTTP_REFERER.

Share this post


Link to post
Share on other sites

Hi, calixt:

I do test your example as following:

 

Example:

Page A (iframe_a.html)

<html><head><title>Mainpage</title></head><body><h2>Mainpage</h2><iframe src="iframe_b.html" style="width:80%; height:50%"></iframe></body></html>
Page B (iframe_b.html)

<html><head><title>iFrame</title></head><script language="javascript">[tab][/tab]document.writeln("Calling page (link): "+parent.location.href+"<br />");[tab][/tab]document.writeln("Calling page (host): "+parent.location.hostname+"<br />");[tab][/tab]document.writeln("Calling page (path): "+parent.location.pathname);</script><body>...</body></html>

Just compare your.domain to parent.location.hostname to decide what to do with the page request

If parent.location.pathname  has "iframe_b.html" then the iframe has been called directly.

<{POST_SNAPBACK}>


Finally, I get see a blank iframe and there is no desirable output. My example is http://reurl.net/see/test.htm. I just know javascript a little. May you give me more detail or tell me what's wrong with it? Than you.

Share this post


Link to post
Share on other sites

A PHP page can know from which page th euser came into it, ie. in which page the link was located when the user clicked it.

 

Browsers send the pages address in the HTTP request, it is labeled HTTP referer and you can read it from the HTTP_REFERER global variable. ($_SERVER['HTTP_REFERER']:D

 

There is a slight problem however... As the information is dependent on the browser, it is not always reliable, someone can easily send fake HTTP requests with bogus referers and some browsers and firewalls block the referer sending.

 

So be careful when using HTTP_REFERER.

<{POST_SNAPBACK}>


Thank you. I do test the HTTP_REFERER, it does show the right url of the webpage link to it. I have tried the $_server variable, there is no string containing "HTTP_REFERER". You give me the exact way to do the right thing. Thank you very much.

Share this post


Link to post
Share on other sites

Hi, calixt:

  I do test your example as following:

Finally, I get see a blank iframe and there is no desirable output. My example is http://reurl.net/see/test.htm. I just know javascript a little. May you give me more detail or tell me what's wrong with it? Than you.

<{POST_SNAPBACK}>


After I save the webpage as a file in my harddisk, and open the saved file. It shows as following

 

Calling page (link): file:///C:/Documents%20and%20Settings/1/My%20Documents/test.htm

Calling page (host):

Calling page (path): /C:\Documents%20and%20Settings\1\My%20Documents\test.htm ...

 

I have to mention one think, I use the os version is tranditional Chinese. So some chinese words are cover to be the strings with "%".

 

It is strange, the same code in the web server shows nothing. However, the right contents can be shown in a local saved file. Can anyone tell me why? I do care about "why", not only the solusion. Thanks.

Share this post


Link to post
Share on other sites

Hi, calixt:

  I do test your example as following:

Finally, I get see a blank iframe and there is no desirable output. My example is http://reurl.net/see/test.htm. I just know javascript a little. May you give me more detail or tell me what's wrong with it? Than you.

<{POST_SNAPBACK}>

Hi whistle,

when the source of the iframe does not belong to the same host as the main page, it will not have access to the "parent" object. This policy shall prevent cross site scripting.

Anyway, for your purposes it does not make any difference: If parent.location.href is not "http://reurl.net/see/test.htm; then the iframe src has not been called by the proper page.

 

Of course you can try to use $_SERVER["HTTP_REFERER"] but this can be faked as Hercco already mentioned. But if $_SERVER["HTTP_REFERER"] is not set then the iframe source surely has NOT been called by your Page A, and that is exactly the information you need, if I understood you right.

Greetings from Nuremberg (Germany),

C.

Share this post


Link to post
Share on other sites

Hi whistle,

when the source of the iframe does not belong to the same host as the main page, it will not have access to the "parent" object. This policy shall prevent cross site scripting.

Anyway, for your purposes it does not make any difference: If parent.location.href is not "http://reurl.net/see/test.htm; then the iframe src has not been called by the proper page.

<{POST_SNAPBACK}>

Thank you. You have clearly answer me what I hope to know. Now I see and learn a lot. You do really understand what I say although I use a poor English. Thanks again.

Share this post


Link to post
Share on other sites

If you anytime want to know any data in any array(eg. $_SERVER)you should use:<pre><?php echo var_dump($_SERVER); ?></pre>or maybe my own little code bit:<?phpforeach($_SERVER $a AS => $B){echo htmlentities($a)." <b>:</b> ".htmlentities($B)."<hr>";}?>Note: I have'nt test the script!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.