Can anyone explain how I can use
$_SERVER['REQUEST_URI']
How can I make it required like: In order to access this page, you have to come from THIS page (both are internal)?
I thought $_SERVER can do this for me, and found the example above in php.net. How can I make use from it?
Thanks
Sound like what you want is $_SERVER['HTTP_REFERER'] - this will contain the URL of the page the user clicked to generate the current request.
Note that's it's not a particularly trustworthy mechanism, since it's easy to spoof. However, if its purely for internal use, it may be suitable for you.
See also
It is quite easy to modify $_SERVER functions, including $_SERVER['HTTP_REFERER']. Thus, it is not a safe method to verify someone visited another page before. I suggest you to use session variables instead (i.e. create a new session variable when someone visits X.php, and check in the Y.php page if the variable exists. You can change the variable in page Z.php if the user must have visited page X.php before Y.php)
If you really want to use $_SERVER variables, as I said earlier, use $_SERVER['HTTP_REFERER'] which contains the last URL the user visited before he went on your page.
You have the wrong variable. I think you want $_SERVER['HTTP_REFERER'] which gives you the page the user came from.
Note that some firewalls strip out the referer header from all HTTP requests, so HTTP_REFERER may sometimes be empty. Also note that HTTP_REFERER can be set by the web browser (in the client) so you should not rely on it for security. Some users can set their referer headers themselves.
REQUEST_URI is the URI path and query as it was requested. Besides that $_SERVER['HTTP_REFERER'] contains the value of the HTTP request header field Referer if available. So to check whether both contain the same URI path, you can do this:
if (isset($_SERVER['HTTP_REFERER'])) && parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) === parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH)) {
// Referer existing and its path is equal to the current requested URI path
}
But the reason for why isset is used in this case it that the Referer is not always sent. In general, only when the request is caused by following a link or sending a form that header field will be sent by the client. So it is likely that this header field is not set. Besides that, its value can also be forged and thus is not trustworthy like any other information that is coming from the client.
This is also the reason why you shouldn’t use this information to verify the authenticity of a request. Use your own authentication tokens instead.