Adding HTTP_REFERER to form submission

[HazMatt]

So I've generated a basic web form using the FMS 9 PHP Site Assistant, and I'm pleased with the results thus far. However, I'd like to have the HTTP_REFERER header (along with HTTP_USER_AGENT and the like) be submitted along with all of the user-entered field data from the form (job_app.php). Due to the nature of the HTTP_REFERER, it should be handled on the actual processing PHP file (job_app_confirm.php). Here's the code that appears to process all of the form data from the previous page:

    // create the new add command

    $newrecordrequest = $fm->newAddCommand($layoutName);

    ExitOnError($newrecordrequest);



    // get the submitted record data

    $recorddata = $cgi->get('recorddata');

    if (isset ($recorddata)) {



        //  submit the data to the db

        $result = submitRecordData($recorddata, $newrecordrequest, $cgi, $layout->listFields());



        //  clear the stored record data

        $cgi->clear('recorddata');

        ExitOnError($result);

        if ($result->getFetchCount() > 0) {

            $records = $result->getRecords();

            $record = $records[0];

        }

    }

    ExitOnError($record);

It looks like it creates a new record in FileMaker and then kind of batch dumps all the field values into the record, but I have no idea how, judging from the above code. Can some kind soul point me in the right direction? Or even provide the proper code?

[jonathanstark]

Hi there -

Would I be correct to assume that you want to track the referrer in order to learn where your traffic is coming from? If yes, then you need to grab that data as soon as the user enters your domain and store it in a session variable.

IOW - if you just grab the referrer on job_app_confirm.php, you're going to get the form page from which is it normally submitted, which I doubt is what you want.

Honestly, the easiest way to skin this cat is to add Google Analytics to all the pages in question. If that is not an option for some reason, you'll want to add something like the following code to the top of all of your pages:

if (empty(session_id())) {

    session_start();

}

if (empty($_SESSION['originalReferrer'])) {

    $_SESSION['originalReferrer'] = $_SERVER['HTTP_REFERER'];

}

Once you have the referrer information stored, the easiest thing to do would be to add two hidden inputs to the form that the user submits like so:

Bear in mind that the user agent can be - and often is - spoofed, and that there may not always be a referer (if someone clicks a link from an email message, or types your url directly) in which case you'll get the url of the form or some other page on your own site.

HTH,

j

[HazMatt]

Hi there, Mr. Stark. I've read your name on the internet several times in the last couple weeks.

Regarding the spoofing of the HTTP_REFERER, yes, that made me less excited about collecting it. I was planning on using it to validate form submissions (i.e. reject any submission attempt that does NOT come from job_app.php), but clever hackers will no doubt bypass that if they are dedicated enough.

I did actually figure out how to attach extra information to my new FileMaker record:

$new_add_command = $fm->newEditCommand($layoutName, $recordId);

if ($upload_file == "yes") {

	$new_add_command->setField('resume_file_is_uploaded', '1');

	$new_add_command->setField('resume_file_upload_path', $upload_file_path_for_fm . $file_name_new);

}

if (isset($_SERVER['HTTP_HOST'])) {

	$new_add_command->setField('http_host', $_SERVER['HTTP_HOST']);

}

if (isset($_SERVER['HTTP_REFERER'])) {

	$new_add_command->setField('http_referer', $_SERVER['HTTP_REFERER']);

}

if (isset($_SERVER['HTTP_USER_AGENT'])) {

	$new_add_command->setField('http_user_agent', $_SERVER['HTTP_USER_AGENT']);

}

if (isset($_SERVER['REMOTE_ADDR'])) {

	$new_add_command->setField('remote_addr', $_SERVER['REMOTE_ADDR']);

}

if (isset($_SERVER['REMOTE_HOST'])) {

	$new_add_command->setField('remote_host', $_SERVER['REMOTE_HOST']);

}

$result = $new_add_command->execute();

//ExitOnError($result, 'Add extra data');

More and more I'm realizing that to do what I want I really need to be an amazing PHP coder. :P

[jonathanstark]

Yes, implementing a reasonable level of security on the web can be tough. You should read these posts from Chris Shiflett:

http://shiflett.org/blog/2005/feb/referer-buys-you-nothing

http://shiflett.org/articles/form-spoofing

While you are at it, you ought to buy his book too:

http://phpsecurity.org/