tags:

views:

36

answers:

1
Q: 

Knowing if a script is called from an iframe on another host in PHP (hopefuly without Javascript)

I want to identify if a PHP script is being called inside an iframe of a different host. I could resort to using Javascript for that, but I'd like to find a JS-free solution first.

Right now I'm using this logic:

If $_SERVER['HTTP_HOST'] is not equal to the host name of $_SERVER['HTTP_REFERER']
And $_SERVER['REDIRECT_STATUS'] is defined
Then the script is being called from inside an iframe on a different host.

I know this is by no means accurate, but it passed all tests so far.
Does somebody know a better solution, an extra condition I could check to be sure of this? Thanks.

SOLVED: Finally, I decided to go with JS. Now the two alternative contents are each inside a <div> and a JS script decides which one to show and which one to hide.

+1  A: 

Does somebody know a better solution

To my knowledge not without JS, no. A referer different from HTTP_HOST could however also mean that the page was reached through a link, and of course both fields can be easily spoofed.

Pekka  2010-04-20 19:17:38
About the spoofing, you're totally right, and Javascript is also easily bypassed.And although it's not official, but I noticed that the script inside an iframe has `REDIRECT_STATUS` defined, while when it's not inside an iframe, no matter if it has a referer, there's no `REDIRECT_STATUS` defined. But again, this is pure trial and error, no hard science here.
Petruza  2010-04-20 19:24:37
Nope, doesn't always work.
Petruza  2010-04-20 19:53:20
@Petruza what exactly do you need this for? Maybe there are other ways to achieve what you want to achieve.
Pekka  2010-04-20 20:59:57
The site should display a different header image and html code when it's viewed normally, than when it's viewed inside an iframe on our partner's site. And using javascript would mean having to reload the site, because the site is built based on templates and other processing made at server-side
Petruza  2010-04-21 14:28:12
@Petruza I see. I think this is going to be difficult to achieve. What about "soft" options like asking partners to use a special URL like `www.domain.com/iframe/.....` ?
Pekka  2010-04-21 15:05:19
Yeah, we thought about that but the problem is that solution qould require to modify a lot of scripts to change the link hrefs to that URL too.
Petruza  2010-04-22 12:13:40

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases