Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 5659 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

So I've generated a basic web form using the FMS 9 PHP Site Assistant, and I'm pleased with the results thus far. However, I'd like to have the HTTP_REFERER header (along with HTTP_USER_AGENT and the like) be submitted along with all of the user-entered field data from the form (job_app.php). Due to the nature of the HTTP_REFERER, it should be handled on the actual processing PHP file (job_app_confirm.php). Here's the code that appears to process all of the form data from the previous page:


    // create the new add command

    $newrecordrequest = $fm->newAddCommand($layoutName);

    ExitOnError($newrecordrequest);



    // get the submitted record data

    $recorddata = $cgi->get('recorddata');

    if (isset ($recorddata)) {



        //  submit the data to the db

        $result = submitRecordData($recorddata, $newrecordrequest, $cgi, $layout->listFields());



        //  clear the stored record data

        $cgi->clear('recorddata');

        ExitOnError($result);

        if ($result->getFetchCount() > 0) {

            $records = $result->getRecords();

            $record = $records[0];

        }

    }

    ExitOnError($record);

It looks like it creates a new record in FileMaker and then kind of batch dumps all the field values into the record, but I have no idea how, judging from the above code. Can some kind soul point me in the right direction? Or even provide the proper code?

  • 2 weeks later...
Posted

Hi there -

Would I be correct to assume that you want to track the referrer in order to learn where your traffic is coming from? If yes, then you need to grab that data as soon as the user enters your domain and store it in a session variable.

IOW - if you just grab the referrer on job_app_confirm.php, you're going to get the form page from which is it normally submitted, which I doubt is what you want.

Honestly, the easiest way to skin this cat is to add Google Analytics to all the pages in question. If that is not an option for some reason, you'll want to add something like the following code to the top of all of your pages:


if (empty(session_id())) {

    session_start();

}

if (empty($_SESSION['originalReferrer'])) {

    $_SESSION['originalReferrer'] = $_SERVER['HTTP_REFERER'];

}





Once you have the referrer information stored, the easiest thing to do would be to add two hidden inputs to the form that the user submits like so:









Bear in mind that the user agent can be - and often is - spoofed, and that there may not always be a referer (if someone clicks a link from an email message, or types your url directly) in which case you'll get the url of the form or some other page on your own site.

HTH,

j

Posted

Hi there, Mr. Stark. I've read your name on the internet several times in the last couple weeks. :P

Regarding the spoofing of the HTTP_REFERER, yes, that made me less excited about collecting it. I was planning on using it to validate form submissions (i.e. reject any submission attempt that does NOT come from job_app.php), but clever hackers will no doubt bypass that if they are dedicated enough.

I did actually figure out how to attach extra information to my new FileMaker record:

$new_add_command = $fm->newEditCommand($layoutName, $recordId);

if ($upload_file == "yes") {

	$new_add_command->setField('resume_file_is_uploaded', '1');

	$new_add_command->setField('resume_file_upload_path', $upload_file_path_for_fm . $file_name_new);

}

if (isset($_SERVER['HTTP_HOST'])) {

	$new_add_command->setField('http_host', $_SERVER['HTTP_HOST']);

}

if (isset($_SERVER['HTTP_REFERER'])) {

	$new_add_command->setField('http_referer', $_SERVER['HTTP_REFERER']);

}

if (isset($_SERVER['HTTP_USER_AGENT'])) {

	$new_add_command->setField('http_user_agent', $_SERVER['HTTP_USER_AGENT']);

}

if (isset($_SERVER['REMOTE_ADDR'])) {

	$new_add_command->setField('remote_addr', $_SERVER['REMOTE_ADDR']);

}

if (isset($_SERVER['REMOTE_HOST'])) {

	$new_add_command->setField('remote_host', $_SERVER['REMOTE_HOST']);

}

$result = $new_add_command->execute();

//ExitOnError($result, 'Add extra data');

More and more I'm realizing that to do what I want I really need to be an amazing PHP coder. :P

Posted

Yes, implementing a reasonable level of security on the web can be tough. You should read these posts from Chris Shiflett:

http://shiflett.org/blog/2005/feb/referer-buys-you-nothing

http://shiflett.org/articles/form-spoofing

While you are at it, you ought to buy his book too:

http://phpsecurity.org/

This topic is 5659 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.