Dealing with $_SERVER['HTTP_REFERER']

[shavenlunatic]

Hey, I decided to dump all referral URLs into a database just so I can view exactly what's happening easilly, the posting of the data is working fine and there's plenty of data in there. I didn't want the empty HTTP_REFERER visits to be posted in there, nor did i want to post the ones which were generated internally, so I tried to cut them out and wrap the mysql statement in an if statement to check for these, but none seem to work. I also tried checking for the length of the $referral string for being greater than 1, yet it still posts blank entries.

I've posted the code below to give an idea of what I've been doing, but I've had a play about with a few different methods and none have worked. I expect that dumping the HTTP_REFERER into a variable doesn't treat it like a normal text string, but I'm not sure what I need to do to convert it. I managed to find a guide on a site which was doing almost exactly what I wanted to do, yet this still posted the blank URL entries.

$ip=$_SERVER['REMOTE_ADDR'];
if( isset($_SERVER['HTTP_REFERER']) AND trim($_SERVER['HTTP_REFERER']) != '' )
{
 $referral = $_SERVER['HTTP_REFERER'];
 if(stristr($referral, '[URL unfurl="true"]http://www.iwontwhoremysitehere.net')[/URL]  === FALSE){
mysql_query ("INSERT INTO `db`.`table` (RefIP, RefURL) VALUES ('".$ip."', '".$referral."')");
 }
}

You help will be appreciated

________
clueless

 

[feherke]

Hi

That way you are exposing your database to SQL injection.

if (stristr($referral, 'http://[red]example[/red].net')  === FALSE) {
  mysql_query("INSERT INTO `db`.`table` (RefIP, RefURL) VALUES ('".[red]mysql_real_escape_string([/red]$ip[red])[/red]."', '".[red]mysql_real_escape_string([/red]$referral[red])[/red]."')");
}

Feherke.

http://rootshell.be/~feherke/

 

[shavenlunatic]

erp...thanks for taking the time to point that out

so let's assume each variable is wrapped in mysql_real_escape_string.. how can i get these checks to work to filter out the unwanted data?

________
clueless

 

[jpadie]

there is no requirement for a browser to set the HTTP_REFERER argument. and some browsers that habitually populate the argument, allow you to suppress it.

so it is quite possible that it is being received as a null value by php. you can always track active users through using a session variable. you won't (obviously) be able to tracking incoming links like that.

 

[shavenlunatic]

I don't mind if it's null, it isn't supposed to be a great resource and I wasn't expecting it to be accurate, was just looking for a general log of referer, I just don't want to post it to the DB if the URL is null. For some reason, no matter what checks I put in there, it posts it to the DB anyway

I have checked on is null, isset, strlen etc. Yet it carries on posting the blanks

________
clueless

 

[jpadie]

if (!empty($_SERVER['HTTP_REFERER'])){
 if (false === (strpos($_SERVER['HTTP_REFERER'], '[URL unfurl="true"]www.iwontwhoremysitehere.net'))){[/URL]
   $r = mysql_real_escape_string($_SERVER['HTTP_REFERER']);
   $ip = $_SERVER['REMOTE_ADDR'];
   $sql = "insert into tablename (id, referer, ipaddr) values (null, '$r', '$ipaddr')";
   myqsl_query ($sql) or die (mysql_error());
  }
}