Jump to content
Sign in to follow this  
HazMatt

Adding HTTP_REFERER to form submission

Recommended Posts

So I've generated a basic web form using the FMS 9 PHP Site Assistant, and I'm pleased with the results thus far. However, I'd like to have the HTTP_REFERER header (along with HTTP_USER_AGENT and the like) be submitted along with all of the user-entered field data from the form (job_app.php). Due to the nature of the HTTP_REFERER, it should be handled on the actual processing PHP file (job_app_confirm.php). Here's the code that appears to process all of the form data from the previous page:


    // create the new add command

    $newrecordrequest = $fm->newAddCommand($layoutName);

    ExitOnError($newrecordrequest);



    // get the submitted record data

    $recorddata = $cgi->get('recorddata');

    if (isset ($recorddata)) {



        //  submit the data to the db

        $result = submitRecordData($recorddata, $newrecordrequest, $cgi, $layout->listFields());



        //  clear the stored record data

        $cgi->clear('recorddata');

        ExitOnError($result);

        if ($result->getFetchCount() > 0) {

            $records = $result->getRecords();

            $record = $records[0];

        }

    }

    ExitOnError($record);

It looks like it creates a new record in FileMaker and then kind of batch dumps all the field values into the record, but I have no idea how, judging from the above code. Can some kind soul point me in the right direction? Or even provide the proper code?

Share this post


Link to post
Share on other sites

Hi there -

Would I be correct to assume that you want to track the referrer in order to learn where your traffic is coming from? If yes, then you need to grab that data as soon as the user enters your domain and store it in a session variable.

IOW - if you just grab the referrer on job_app_confirm.php, you're going to get the form page from which is it normally submitted, which I doubt is what you want.

Honestly, the easiest way to skin this cat is to add Google Analytics to all the pages in question. If that is not an option for some reason, you'll want to add something like the following code to the top of all of your pages:


if (empty(session_id())) {

    session_start();

}

if (empty($_SESSION['originalReferrer'])) {

    $_SESSION['originalReferrer'] = $_SERVER['HTTP_REFERER'];

}





Once you have the referrer information stored, the easiest thing to do would be to add two hidden inputs to the form that the user submits like so:









Bear in mind that the user agent can be - and often is - spoofed, and that there may not always be a referer (if someone clicks a link from an email message, or types your url directly) in which case you'll get the url of the form or some other page on your own site.

HTH,

j

Share this post


Link to post
Share on other sites

Hi there, Mr. Stark. I've read your name on the internet several times in the last couple weeks. :P

Regarding the spoofing of the HTTP_REFERER, yes, that made me less excited about collecting it. I was planning on using it to validate form submissions (i.e. reject any submission attempt that does NOT come from job_app.php), but clever hackers will no doubt bypass that if they are dedicated enough.

I did actually figure out how to attach extra information to my new FileMaker record:

$new_add_command = $fm->newEditCommand($layoutName, $recordId);

if ($upload_file == "yes") {

	$new_add_command->setField('resume_file_is_uploaded', '1');

	$new_add_command->setField('resume_file_upload_path', $upload_file_path_for_fm . $file_name_new);

}

if (isset($_SERVER['HTTP_HOST'])) {

	$new_add_command->setField('http_host', $_SERVER['HTTP_HOST']);

}

if (isset($_SERVER['HTTP_REFERER'])) {

	$new_add_command->setField('http_referer', $_SERVER['HTTP_REFERER']);

}

if (isset($_SERVER['HTTP_USER_AGENT'])) {

	$new_add_command->setField('http_user_agent', $_SERVER['HTTP_USER_AGENT']);

}

if (isset($_SERVER['REMOTE_ADDR'])) {

	$new_add_command->setField('remote_addr', $_SERVER['REMOTE_ADDR']);

}

if (isset($_SERVER['REMOTE_HOST'])) {

	$new_add_command->setField('remote_host', $_SERVER['REMOTE_HOST']);

}

$result = $new_add_command->execute();

//ExitOnError($result, 'Add extra data');

More and more I'm realizing that to do what I want I really need to be an amazing PHP coder. :P

Share this post


Link to post
Share on other sites

Yes, implementing a reasonable level of security on the web can be tough. You should read these posts from Chris Shiflett:

http://shiflett.org/blog/2005/feb/referer-buys-you-nothing

http://shiflett.org/articles/form-spoofing

While you are at it, you ought to buy his book too:

http://phpsecurity.org/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • By jayivan
      I am working on an API integration from FileMaker 17 to Emma. Generally when I work on a new API, I get the curl working on the command line and then translate that into FM. But I've hit a roadblock with one particular API call while my other API calls to Emma are successful. (In the example below, I substituted out sensitive data with all caps.)
      From the command line, the code is:
      curl -u USER:PASS -H "Accept:application/json" -H "Content-type: application/json" -X POST -d '{"fields": {"name_first": "TESTFIRST","name_last": "TESTLAST","eligible": "false","expiration": "@D:2019-06-30"},"group_ids": ["GROUPIDNUMBER"],"email": "EMAIL@EMAIL.COM","opt_in_confirmation": "false"}' "https://api.e2ma.net/ACCOUNTNUMBER/members/signup"
      This command is successful.  The server responds with the individuals' emma id and group confirmation. 
      This fails using Insert from URL within FM though. While eventually I'll use FileMaker fields for an individual record's names, email, and expiration dates, I did not use fields in my testing in order to duplicate the command line exactly. In Insert from URL:
      The URL is "https://api.e2ma.net/ACCOUNTNUMBER/members/signup"
      The curl option is "-u USER:PASS -H \"Accept:application/json\" -H \"Content-type: application/json\" -X POST -d '{\"fields\": {\"name_first\": \"TESTFIRST\",\"name_last\": \"TESTLAST\",\"eligible\": \"false\",\"expiration\": \"@D:2101-06-30\"},\"group_ids\": [\"GROUPIDNUMBER\"],\"email\": \"EMAIL@EMAIL.COM\",\"opt_in_confirmation\": \"false\"}'"
       
      Can anyone identify the problem or suggest a workaround? My experience with API integration with FM is limited, but anything I could get working via the command line, I've been able to get working within FM until this.
    • By Richard Carlton
      In this Coaches' Corner tip, Richard Carlton challenges you to go learn how to use RESTful services!
      Get up to speed with the FileMaker Pro 16 Video Training Course! 
      Top Rated Course by FileMaker Expert, Richard Carlton.  
      http://learningfilemaker.com/fmpro16.php
      Experience Richard's dynamic and exciting teaching format, while learning both basic, intermediate, and advanced FileMaker development skills. With 27 years of FileMaker experience and a long time speaker at FileMaker's Developer Conference, Richard will teach you all the ins and outs of building FileMaker Solutions.  The course is 50 hours of video content!
      Richard has been involved with the FileMaker platform since 1990 and has grown RCC into one of the largest top tier FileMaker consultancies worldwide. 
      Richard works closely with RCC's staff: a team of 28 FileMaker 
      developers and supporting web designers. He has offices in California, Nevada, and Texas.

      Richard has been a frequent speaker at the FileMaker Developers Conference on a variety of topics involving 
      FileMaker for Startups and Entrepreneurs, and client server integration.

      Richard is the Product Manager for FM Starting Point, the popular and most downloaded free FileMaker CRM Starter Solution.

      Richard won 2015 Excellence Award from FileMaker Inc (Apple Inc) for outstanding video and product creation, leading to business development.

      RCC and LearningFileMaker.com are headquartered in Santa Clara, CA.

      http://www.rcconsulting.com/
      Please feel free to contact us at support@rcconsulting.com
      If you want to explore building iOS apps for iPhone or iPad and deploying those out to the Apple App Store.
       
      Here is a video introduction to our iOS App Training https://www.youtube.com/watch?v=cVxQe_yAshw
      Looking for FM Starting Point free software download: http://www.fmstartingpoint.com
      For More Free FileMaker Videos Check out http://www.filemakerfree.com
      Visit http://www.learningfilemaker.com for all facets of FileMaker Award Winning Video Training.
      Please Visit Our Channel: https://www.youtube.com/user/FileMakerVideos Please Subscribe While There.

      Please Comment, Like & Share All of Our Videos.

      Feel Free to Embed any of Our Videos on Your Blog or Website.
      Follow Us on Your Favorite Social Media
      https://www.facebook.com/FileMakerVideos
      https://twitter.com/filemakervideos
      https://plus.google.com/+FileMakerVideos/videos

      Filemaker Pro 16 Training Videos
      FileMaker 16 Videos
      Filemaker Pro 16 Video Course
      #FileMakerVideos
      #FileMakerTrainingVideos
      #WhatisFilemaker16
      #FilemakerPro16Training
      #Filemaker16VideoTutorial
      #FilemakerPro16Videos
    • By docasar
      Hello,
       
      I am trying to connect to our current database with our shipping company so I can update the status of the delivered orders. To do that, I am currently using insert from URL and then parse the code to extract the info I need. However, I believe there should be a cleaner and safer way to do it using webservice.
      So I downloaded the documentation and looks very straightforward to set and I have been able to set up the POST and send it getting the data as XML using POSTMAN (as very well explained here:  http://www.filemakerprogurus.com/filemaker-api-integration-salvatore-coleangelo/ ) and also in the great post by luminfire https://luminfire.com/2017/06/12/curling-filemaker-16/.
      However, when I try the same parameters on my script in filemaker, I get all the time an error saying that something like  "Entry XML Schema/template it is not loaded correctly". Following the documentation of the API I see that on Postman I need to insert on the Body RAW some kind of code that looks like this: 
      <?xml version='1.0' encoding='UTF-8'?>
      <SeguimientoEnviosRequest xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='SeguimientoEnviosRequest.xsd'>
      <Solicitante>x</Solicitante><Dato>xxxxxxxxxxxxxxxxx</Dato>
      </SeguimientoEnviosRequest>
      but I don't know which settings I have to do on my script to make the call work.
      Any suggestions as to where to put this info so the can be passed with the CURL? I am a bit desperate now because I see the amazing possibilities that the interaction with the web service may bring but I can find a way to make it work...
      Thanks a lot for your always invaluable support!!
    • By jpons
      Hi,
      I want to enable the Cloud REST API, but I am afraid that I "dismissed" the notification message that allowed me to do so. How can I enable the RESP API on my cloud instance?
      Thanks,
      -J
    • By JTSmith
      OK, I'm using FM16 and trying to figure out an API call.  I'm not an expert when it comes to APIs.
      I have a shopify store, and I can use Insert from URL to get the JSON info on each order.  I want to be able to "PUT" and upload parts of the order.  Every order has a "Note" field that I can add notes.  Per the shopify API documentation, to add an order note, you do the following:
      Add Note to order
      PUT /admin/orders/#{id}.json { "order": { "id": 450789469, "note": "Customer contacted us about a custom engraving on this iPod" } }  
      Can someone help me with what I put in the cURL options area?  Any help would be appreciated.  I think I have the URL and Target figured out.  Thank you!!
×

Important Information

By using this site, you agree to our Terms of Use.