Dotan Cohen wrote:
And, the thing is, within this javascript_dump.php, HTTP_REFERER shows
nothing, because it gives you the referer of the html page (page1)
that contains this <script> tag (which might be something irrelevant,
i.e. google), and remote_addr gives you the IP address of the user.
I know that I can add a simple query parameter to specify the source
web page such as: javascript_dump.php?siteid=xyz, but this can be
faked very easily, and anyone can introduce themselves as any
affiliate.
Is there a way of getting (within the php) the site this php was
called from in a reasonably secure way? Any ideas/suggestions?
Thanks..
Duzayak,
Did you get this working the way you intented? If so, please share
with us what you did. Thanks.
There's no reasonably secure way of doing this. I see three possible
solutions.
1. Put a query parameter in, like you said you didn't want to. This is
about as easy to fake as HTTP_REFERER, which could hardly be called
secure anyway. HTTP_REFERER is set less and less often anyway, as people
block it with "security" software.
2. Define a global variable in JavaScript before including the remote
script, a la AdSense.
3. If the times on the servers can be expected to be synchronised, or
you have some other unique but changing value that both servers know
about, get an MD5/SHA1 hash of that value with the affiliate ID appended
on the end, and compare it at the other end.
Jasper
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
