I have a file called image.php and one called index.html.
This code is in index.html
<img src="image.php">
Now, is it possible for the image.php file to know that it was called by the index.html file ?
If so, how?
views:
39answers:
4
A:
Only if you're willing to trust some extremely unreliable data found in $_SERVER.
Kalium
2010-07-06 01:05:00
-1 There are other solutions, also everyone else posting about $_SERVER at least had the courtesy to explain how to actually do it.
Jamie Wong
2010-07-06 01:20:45
I didn't explain it because I refuse to encourage a bad practice. You call it courtesy, I call it a bad idea.
Kalium
2010-07-06 01:30:37
But you don't know how he's using it. This could be a non-security-related usage (e.g. loading different language logos, or some sort of aesthetic enhancement) where there'd be no reason for someone to try to spoof their referrer header, and it would work as intended in 99% of cases.
Lèse majesté
2010-07-06 02:13:12
It's easier to teach good practice and then the exceptions to it than it is to teach the exceptions up front and then try to graft good practice on afterwards. The nature of the question makes it clear that a relative newbie is involved. I will not do anything that will encourage bad code. I've seen enough of it in my lifetime already.
Kalium
2010-07-06 03:46:08
A:
If the user is using a browser that sends a referrer header, you can access it with
$_SERVER['HTTP_REFERER']
but it relies on the client being trustworthy, which you can't count on.
If you want a browser independent method, you can add a GET parameter to your link
<img src="image.php?ref=index.html">
and access with $_REQUEST['ref'], but again, it can be spoofed.
amccausl
2010-07-06 01:06:47
+3
A:
The browser will usually send a "Referer" (sic) header for image requests which contain the URL of the page that containing the image link.
This is accessible using the $_SERVER['HTTP_REFERER'] variable (note unusual spelling).
Note that this variable is not always accurate; a user may elect to protect their privacy by not sending a referer header (using some sort of dinky privacy tool) and they may even modify their browser to send whatever they want in this field. So it shouldn't be relied upon for authentication, unless you also take into account that even a legitimate user may have left it blank or put an arbitrary string in it.
thomasrutter
2010-07-06 01:07:45
+1
A:
A more reliable (albeit more convoluted) way of doing this is to generate a random hash to attach to this specific load of the file - but this is only going to work if the originating page is also php enabled (not just static html).
If you wanted to do it that way, you could do something like this:
<?
// index.php or wherever you want to detect the source from
session_start();
$uniqid = uniqid();
$_SESSION["image_caller_$uniqid"] = $_SERVER['SCRIPT_FILENAME'];
echo "<img src='image.php?uniqid=$uniqid' />";
?>
And then in your image file
<?
// image.php
session_start();
$source = $_SESSION["image_caller_{$_GET['uniqid']}"];
unset($_SESSION["image_caller_{$_GET['uniqid']}"]); // Don't needlessly waste memory
// Render the image or whatever you want here
?>
This has the similar effect as other suggestions of doing something like <img src='image.php?ref=index.html'>, however this is much more difficult to spoof.
Jamie Wong
2010-07-06 01:17:29