PHP - Source (hostname) of a GET request

views:

155

answers:

PHP - Source (hostname) of a GET request

I have a Javascript widget that people can embed on their site.

I want to use a simple cross domain get request to pull in a hash.

However I need my PHP script to only allow this cross domain request from a series of domains I have stored in an array.

What can I do in my PHP script (not in .htaccess or iptables) to find out the source (hostname) of the get request?

Thank you very much,

Cei

+1 A:

You could use the $_SERVER variable. In particular the $_SERVER['REMOTE_HOST'] but see below for caveat:

However, your web server must be configured to create this variable. For example in Apache you'll need HostnameLookups On inside httpd.conf for it to exist. See also gethostbyaddr().

Miky Dinescu 2009-07-20 14:37:59

$_SERVER['REMOTE_HOST'] contains the address (dns lookup) of the _client_ that made the request. I'm not sure that is the answer...

VolkerK 2009-07-20 14:43:23

Thank you for your answers but the problem is what Volker is saying, that returns the clients address not the host or ip of the site making the request.

2009-07-20 15:03:06

+1 A:

If the requests are coming from JavaScript, you could check the HTTP referrer header ($_SERVER['HTTP_REFERER']). However, it's optional - some proxies or security programs strip the referrer header out of HTTP requests.

BlackAura 2009-07-20 14:41:42

And also it's not reliable since any client can send an arbitrary referrer or none at all, see e.g. https://addons.mozilla.org/en-US/firefox/addon/953 .

VolkerK 2009-07-20 14:46:37

Considering the client (user's browser) can send you whatever it wants, I would say there is no way to be sure which website your script is called from :

As you want to know the URL of the website embedding your widget, and not the address of the user, $_SERVER['REMOTE_HOST'] will not help
$_SERVER['HTTP_REFERER'] could seem OK, but actually is not :
- The client doesn't have to send it (and it doesn't always do)
- As it is sent by the client, it can be forged / faked Quite easily

So, I'd say there is no real solution to this problem, at least on your server's side (If I'm wrong, I'm interested to know !)

But maybe you can do something on the client's side : when writing all this, I thought about google maps, and it's system of API Key :

you have an (unique) API key four your domain
When you load the JS scripts from google, your send this key
if the key is not registered for the domain on which you are trying to display the map, there is an alert message, saying "The Google Maps API server rejected your request. This could be because the API key used on this site was registered for a different web site."
- but the map seems to be displayed anyway -- at least on my test server
this alert is really anoying for the end-user, and I don't think anyone would want an alert displayed on their site because they are using your service withot authorisation...

Maybe you can have a look at how this is done for google maps :-)

Pascal MARTIN 2009-07-20 17:47:55

ansaurus

tags:

views:

answers:

PHP - Source (hostname) of a GET request

related questions