Question about sending a request to another site that has a callback that targets my original page

Question

Hi, In my test.php file, I sent a request to a Flickr app I have using

header("Location: " . $request);

where $request is the URL that I am trying to reach on Flickr.

For my Flickr app, I have to set a callback URL. When Flickr is done with processing my request, it will call the callback URL.

I would like the callback URL to be my original page, test.php. When I try this, I get stuck in an infinite loop, because test.php is re-sending the request back to Flickr, and Flickr calls my test.php again (repeat ad infinitum until the browser quits).

Is there a way to put some kind of conditional in test.php to check if the request came from Flickr, or at least some way to let the script know that the request has been sent, so don't send it again.

I've already tried it where I changed the callback URL to another page of mine, and that works fine. I'm just seeing if I could re-use the same page.

Thank you for reading.

Answer 1

try checking the referer with the $_server['HTTP_REFERER']

[Edited]

I just wanted to say that, you should try adding if condition

// just and example, use some regular expression to check the refere
if($_SERVER['HTTP_REFERER'] != http://flicker.com){ 
header("Location: " . $request);
}else{
 // another code
}

Thanks

Answer 2

Its ugly.

The two posted solutions won't work because:

• The referer isnt changed on redirect (well it is cleared if its a http meta redirect, but not if its a header redirect. but it doesnt become something else so easy).

• Putting exiting after a sent header is generally a good idea if there is something else normaly executed afterwards, but its not related to the problem.

Simply put, if it should be the SAME page, you need to to store in a file or database or something the redirect counts per ip adress/user and break or something but NONE of this is really reliable. You can make it more secure by having a secured token that cannot be reverse engeneered etc but all this doesn't make sense. You could also use cookies. Which is just as unreliable as well.

Regarding your problem, flickr does NOT redirect back to the samep age. Regarding to their specifications they append ?frob=[frob]. http://www.flickr.com/services/api/auth.spec.html

Check for that:

    <?php 
if(!isset($_GET["frob"])) {
header("Location: " . $request);
exit();
}
?>

Answer 3

As an alternative to checking for the (non-)existence of $_GET["frob"], couldn't you set the callback url in Flickr to be www.mysite.com/test.php?from_flickr=1 and then do

if (!$_GET['from_flickr']) {
    header('Location: '.$request);
    exit; 
}