php referrer problem

[pagetta]

hi,
hoping someone can help as i appear to be having a complete mental block over this!
we are sending out a mailer, with links back to our website on it. the links on our mailers usually go straight to a form you fill in to download a resource, and the link will look like this:

http://www.mysite.com/thepage.php?re...df&&ref=mailer

however on the next mailer we send out we are not offering resources, but have a list of all our new products, so you click on a link and go to the page concerning that product. from there we hope that you will either sign up/register for our product, or download a white paper/pricing scheme etc.

my question is how to carry the variable $ref through the product page to the page with the form where you fill in your details to download a resource(at which point it normally gets put in a hidden field, and the form details are mailed to our sales team).

my mind has drawn a complete blank! thanks in advance for any advice peeps x

[kgun]

Do you use the PHP inbuilt associative array $_SERVER ?

Is it

$_SERVER['REQUEST_URI'] or something like that?

Look up the documentation for $_SERVER if that is not the solution.

[pagetta]

hi no i don't use any arrays

[kgun]

That is inbuilt arrays (mean that they are built automatically as part of the language) and there are lots of them like

$_GET, $_POST, $_SESSION, $_SERVER (that holds information about the server the script is running on).

Let us say an element in the associative array is:
WEBBROWSER (it is an example and not necessarily correct) and stored in the $_SERVER array, you get that information like this:

$webbrowser = $_SERVER['WEBBROWSER']

Another example: Another element is PHP_SELF (the URL of the active page and that is correct).

$thisurl = $_SERVER['PHP_SELF']

I have reccomended "The PHP Anthology: Object Oriented PHP Solutions" a lot of times here at WPW.

The first chapter of volume II is about authentication. You can download the frist chapters of volume I free and some chapters from volume II free. Hopefully it is the first chapter of volume II. There you have an exact example of what you are requiring.

Variable:
$redirect = URL you want to redirect to:

Method:

function redirect($from=true) {
if ( $from ) {
header ( 'Location: '.$this->redirect.'?from='.
$_SERVER['REQUEST_URI'] );
} else {
header ( 'Location: '.$this->redirect );
}
exit();
}

[Grokodile]

It depends on how you want this to show up. If you want it in your traffic logs you should dynamically build the links on the product list page.

Code:

$ref = $_REQUEST['ref'];

$link = "http://some.place/some.page?$ref";
echo "<a href=$link>Page Title</a>\n";

$link = "http://some.place2/some.page2?$ref";
echo "<a href=$link>Page Title 2</a>\n";

Alternately, if you don't need complete stats, you could just stuff the value into a session.

Code:

$_SESSION['ref'] = $_REQUEST['ref'];

Then, when the user arrives at the final PHP page, even perhaps to provide for a PDF download, you could stuff the session reference value, if it was set, into a database.

Code:

$ip = $_SERVER['REMOTE_ADDR'];
$sql = "BUILD INSERT WITH $ip and $_SESSION['ref']";
mysql_query($sql);

I hope that is what you meant.

[TrafficProducer]

Code:

www.mysite.com/thepage.php?resource=paper.pdf&&ref=mailer

Two && is this correct??

This is more normal:-

Code:

www.mysite.com/thepage.php?resource=paper.pdf&ref=mailer

Some Handy PHP links

[bloxar]

Hello pagetta,

Let’s see if I understood.

First you have 2 && correct that to http://www.mysite.com/thepage.php?re...pdf&ref=mailer

The answer would be using a hidden field like this

<form name=”myProductForm” method=”post” action=”my_pdetails_form_.php” >

<input type=”hidden” name=”ref” value=”<?php echo $ref; ?>”/>


At this point you have capture the variable $ref from the query, now lest see how to past to the other form.

You surely have pointed the action form of your product (my_proc_php) to the page form where visitors have to enter their personal details or whatever.


The other form (Personal detail form, billing details, or whatever) has to have a hidden field to capture the $ref var again more or less like this.


<form name=”myPdetailForm” method=”post” action=”my_proc_script_.php” >

<input type=”hidden” name=”ref” value=”<?php echo $ref; ?>”/>


Well that’s it you have the value forwarded to the next form, of course that you can use cookies to do the same thing but you know try with this first.


Note: if you want to track from where the form was called o you want to perform a little bit of security stuff use something like this $called_from= getenv('HTTP_REFERER'); this will output the referred url from your form was requested.


Regards,

[speed]

Quote:

Originally Posted by bloxar

<form name=”myProductForm” method=”post” action=”my_pdetails_form_.php” >

<input type=”hidden” name=”ref” value=”<?php echo $ref; ?>”/>

This only works if register globals is set to on.

To make it work with register globals off replace echo $ref; with:

echo $_SERVER['REQUEST_METHOD'] == 'POST ? $_POST['ref'] : $_GET['ref'];

Or use $_GET on the 1st form and $_POST on the subsequent forms.

Quote:

Note: if you want to track from where the form was called o you want to perform a little bit of security stuff use something like this $called_from= getenv('HTTP_REFERER'); this will output the referred url from your form was requested.

This is not always true, users of certain firewalls will block this information and therefore you cannot rely on it being present.

[bloxar]

Hello speed,

Ok, we are not going to start a purist debate about how to code here, do we?

The thing is that if she is asking about this, is because she has not advanced knowledge about the subject, so I assume that she is in a share hosting where the majority of them has GLOBALS vars set to on.

So why complicated more the thing for her, hehehehehe have no sense mate, don’t you think?

About the security stuff:

The environment var $called_from= getenv('HTTP_REFERER') is not intended to be used in this way.

The sense of this is to check the result of the $called_from= getenv('HTTP_REFERER') against your own domain and path.
Of course you have to set another var having your domain, bla, bla stuff.

If the HTTP_REFERER var don’t report your own domain the form shouldn’t be processed.

Have you got the idea?

Doesn’t matter if the attacker is using a proxy, firewall, or whatever the script should avoid to process the form.

Perhaps my explanation wasn’t very good, so I will add this...
The check has to be done in the script that process the form.


This is to prevent attacker from exploit your script as normally they do from outside your server.

Of course you can archive the same thing with other methods, but I thought this was pretty simple.

Regards,

[speed]

It’s not my intent to start a purist debate, just if pagetta has a server with globals off, and I see many with it off, then she will be scratching her head wondering why the code doesn't work.

Who knows who else might read this thread and have globals off, so I just included it for completeness.

Quote:

If the HTTP_REFERER var don’t report your own domain the form shouldn’t be processed.

Have you got the idea?

Yes I understand what you are saying but although it’s a nice idea it’s unreliable.

Last time I checked Norton Firewall strips the referer data in its default configuration, i.e. it’s blank and not your domain, so now when you compare your domain with that sent by the browser it fails.

You’ve stopped all those people handing their money over to you. How many other firewalls also strip it?

Opera has an option to disable the referer field and I’d bet there’s more than a few people who do.

It could get costly for very little added security, it’s childs play to fake the referer with an attack script.

[wige]

There is one thing you need to note: the referrer ($_SERVER[HTTP_REFERRER] or similar) will be null when someone clicks a link in an e-mail. If you want the referrer to be stored, your best bet would be to store the content of $ref=whatever in a session variable and retreive it from the session when the user gets to the sales page. Because sessions usually use your SQL database, MAKE SURE you parse the contents of the ref= to ensure it contains no exploit code before sending the data to the session.

[minorgod]

Sorry for this long post, but I first answered a question you DIDN'T ask before I realized what you were really asking. Then it seemed like my first answer might be somewhat helpful, so I left the first answer intact and then followed it up with the answer to the question that you really DID ask. So here goes...

Using the referrer address will probably not help you. You will need to write your links dynamically to include an identifier of some kind. You can easily pass a variable from an email to your PHP page by embedding "GET" variables in the links in your emails in the format:

http://www.somedomain.com/somepage.p...someothervalue

Everything after the "?" is a url-encoded name=value pair separated by ampersand (&) characters. Any variables passed via a link in this format will show up on your server as a "GET" variable, just like if you had submitted a form via the "GET" method. If you have a REALLY old php install, the GET variables can be accessed via the HTTP_GET_VARS global array, but most likely you have a somewhat newer installation of PHP so you can use the preferred "GET" superglobal array (though either should work). So on your php page you can output the variable value like so:

Code:

echo $HTTP_GET_VARS['somevariable'];

or

Code:

echo $_GET['somevariable'];

The first method should work for any PHP4.x install, but the second method is generally preferred. SO, using the example URL from above, either of the above code examples will output the word "value".

Knowing this, you can simply write the value of any variable passed via the URL to a hidden form field on your landing page like this:

Code:

<input type="hidden" name="somevariable" id="somevariable" value="<?php echo $_GET['somevariable']; ?>"/>

or do whatever else you want (such as inserting the value in a database). To add more variables, just remember to separate them with ampersand characters.

As one more thing to confuse you, you can access any GET or POST varialble via the "REQUEST" superglobal array which is simply a collection of all GET and POST variables, so some people prefer to use the REQUEST array if they aren't sure if a value will be submitted via GET or POST method.

Hope that helps....oh wait...I just re-read your post and now realize you were asking a totally different question! Sigh. Here's the answer the question you really asked:

Basically, you can either use the method I've outlined above to either pass the variables from page to page by embedding them in the links, or in hidden form fields. If you are submitting pages or forms via the "POST" method simply change the word "GET" in the above examples to the word "POST" and it will work the same way. HOWEVER, that's now how i'd do what you are trying to do. Personally, this seems like a perfect use for either SESSION data (if you want the server to hold the values and expire when the user closes his browser) or using COOKIES (if you want the value to be held in the user's web browser for some duration that you can specify). I prefer sessions myself so here's how to do it with sessions:

On your landing page that receives the variable via the GET method, put the following code at the top of your page but change the variables to your own:

Code:

session_start();
if(!empty($_GET['somevariable'])){
    $_SESSION['somevariable'] = $_GET['somevariable'];
}

Now on any other page where you want to retrieve that variable value, you simply put "session_start();" at the top of your page and then access the $_SESSION['somevariable'] variable like any other type of variable. The biggest complication you may run into is that you MUST start your session using session_start() before any output is sent to your client browser or it will cause a warning/error about problems sending HTTP headers, so just make sure to put it above all your html code and you should be good. Also, you must ALWAYS call the session_start() function before you will have access to any $_SESSION variables, regardless of what php page started the session or whether you happen to be on that page or not.

I mentioned using cookies as well, but this post is already too long. If you want to see examples of how to do this stuff with cookies instead of sessions, simply visit http://us3.php.net/manual/en/function.setcookie.php .

[Spooky]

Not sure if anyone has said this, but why not simply set a cookie, then pull it in where you will need it. That way you can detect the referrer regardless of the route taken around the site. Or have I missed something ?

EDIT: Ahh yes, session cookies mentioned above! Seems the best way as far as I can see.

Spooky

[bloxar]

Quote:

Originally Posted by Spooky

Not sure if anyone has said this, but why not simply set a cookie, then pull it in where you will need it. That way you can detect the referrer regardless of the route taken around the site. Or have I missed something ?

EDIT: Ahh yes, session cookies mentioned above! Seems the best way as far as I can see.
Spooky

Hello Spooky,

If I am not wrong she asked how to pass the value of the var $ref from the product page to the contact details form using a hidden field.

“my question is how to carry the variable $ref through the product page to the page with the form where you fill in your details to download a resource(at which point it normally gets put in a hidden field, and the form details are mailed to our sales team)”

Regards,

[Spooky]

Yes she did. My view would be, however, that this would not be the best method to achieve the poster's goal, as the user may choose to navigate in a way that the poster would not like or anticipate, thus potentially losing the information that the poster wished to include in their form to their sales team. Using a session cookie should mean that, in most instances, the end goal will be achieved regardless of the user behaviour - at least for that one visit anyway.

My 2 cents.

[bloxar]

[quote="Spooky"]Yes she did. My view would be, however, that this would not be the best method to achieve the poster's goal, as the user may choose to navigate in a way that the poster would not like or anticipate, thus potentially losing the information that the poster wished to include in their form to their sales team. Using a session cookie should mean that, in most instances, the end goal will be achieved regardless of the user behaviour - at least for that one visit anyway.

My 2 cents.[/quote]



Hello Spooky,

Yes of course you are right this is not the appropriate method to get orders.
She needs persistent data, but this would be very long to explain here, I guess.

Session it is not a secure manner to get data either, Cookies has it own problems too.

So a way to archive all this without Db, cookies, etc. Would be to store all data’s products into a hidden field in a frame but this involves client side programming.


Regards,

...

[Spooky]

I suggested cookies purely on the basis that the only data that the poster stated they wanted to pass to the form, other than that on the page which went directly to the form, would the the referral source. Otherwise I agree that something else should be used for the circumstance you describe, but for simply noting the referral source of the site visitor I think a cookie is good enough for the minimal effort required (works for me anyway).

Having said that, Pagetta does not appear to have come back here for a couple of days anyway, so any answers may well be academic anyway ;)

[bloxar]

Quote: