Php check request server

Получаем HTTP статус-коды сайта с помощью PHP и CURL

Используя нижеприведенный код вы сможете проверить, существует сайт или нет. Также можно проверить, есть ли на сайте редирект. Это может быть полезно для сайтов-каталогов, которые хотите проверить урлы, которые больше не являются активными или обновить свои ссылки. С помощью CURL мы получаем все статус коды для какого либо сайта, а затем ищем совпадения со списком HTTP статус-кодов.

$toCheckURL = «http://google.com» ; // Домен для проверки

curl_setopt( $ch , CURLOPT_URL, $toCheckURL );

curl_setopt( $ch , CURLOPT_HEADER, true);

curl_setopt( $ch , CURLOPT_NOBODY, true);

curl_setopt( $ch , CURLOPT_RETURNTRANSFER, true);

curl_setopt( $ch , CURLOPT_FOLLOWLOCATION, true);

curl_setopt( $ch , CURLOPT_MAXREDIRS, 10); // разрешаем только 10 редиректов за раз во избежание бесконечного цикла

$http_code = curl_getinfo( $ch , CURLINFO_HTTP_CODE); // Получаем HTTP-код

$new_url = curl_getinfo( $ch , CURLINFO_EFFECTIVE_URL);

// Массив возможных HTTP статус кодовв

$codes = array (0=> ‘Domain Not Found’ ,

203=> ‘Non-Authoritative Information’ ,

407=> ‘Proxy Authentication Required’ ,

413=> ‘Request Entity Too Large’ ,

415=> ‘Unsupported Media Type’ ,

416=> ‘Requested Range Not Satisfiable’ ,

500=> ‘Internal Server Error’ ,

505=> ‘HTTP Version Not Supported’ );

// Ищем совпадения с нашим списком

if (isset( $codes [ $http_code ]))

echo ‘Сайт вернул ответ: ‘ . $http_code . ‘ — ‘ . $codes [ $http_code ]. ‘
‘ ;

preg_match_all( «/HTTP/1.[1|0]s(d)/» , $data , $matches );

// Идем дальше по списку, чтобы посмотреть, какие мы еще статус коды получили

// Проверяем если урл поменялся или нет

Источник

Php php check requesting server ip

There are two ways to do that: filter by requesting IP address if that is known require an authenticated session/cookie/Authorization header, i.e. password protect the image If your webserver supports either of these checks (virtually any server can filter requests by IP), there’s no need for scripting. Assuming that only other scripts on the same server are trying to consume my service, and that they would do this server-side (as opposed to with AJAX or similar means), does my service have any means of identifying the owner of the requester? I could limit access the service to only requests coming from a specific origin, but this seems either very strict or very unreliable, depending on if I allow access to any script in a directory vs. only specific scripts.

Authenticating referer site using HTTP_REFERER and IP address

I have a web service (which returns data) which is accessible only to a few «whitelisted» remote servers. So when a remote server sends a request to my server, I would check the $_SERVER[‘HTTP_REFERER’] field for the whitelisted domain name and the corresponding IP address (which was known to my web-service through a global array). Can this method of whitelisting requests be bypassed? I know it is easy to implement referer spoofing. but do keep in mind that I am checking both the referer and the corresponding IP address both of which are known to my app with certainty.

If this is NOT a safe thing to do, does anyone have an alternate method of allowing only «whitelisted» domains to access a given web service?

As commented, I’m not sure why an HTTP Referer header would be set in the first place in your scenario, but let’s assume it is and its domain corresponds to the IP of the client. The Referer header is an arbitrary value sent by the client, it’s trivially spoofed. The client’s IP OTOH is not spoofable (excluding elaborate network level attacks which require the attacker to basically already have compromised one side or the other). What you’re asking is whether it makes sense to use an insecure, meaningless value to confirm a value which is already as secure as you can get. And the answer is No. Just stick to the IP filter, that’s already good enough.

If you want to strengthen authentication further, use a proper authentication scheme in which you share a secret with your clients (username/password, API token, Oauth or similar).

I do not believe checking the Referer HTTP header in addition to the originating IP address yields any security benefits at all. Having said this, IP-based auth itself isn’t the safest practice. If you really want to protect your API, better look into SSL and some form of HTTP authentication.

Php — How to check if a request if coming from the same, The answer is: Yes you can. But it depends if your Apache/nginx server is set to populate the $_SERVER variable with the required information. Most the server are, so probably you can use this approach. What you need to do is to extract the HTTP_REFERER from the $_SERVER variable and compare with your …

Is it possible to reliably know where an HTTP request originated without scripting?

I’ve been tasked with serving up an image file from our server that is referenced in an html document residing on a number of other servers. To wit:

file on foo.com:

When a user goes to foo.com, it displays the image from our server, bar.com. (It actually sends a different image based on what website made the request.)

But here’s the catch: they only want visitors of specific companies to be able to retrieve the file (currently identified by the server’s domain name, but that’s not a requirement).

In a perfect world, you’d just look at the HTTP_REFERER and if it’s on the approved list, serve up the file. But as everyone knows, not every user agent supplies the HTTP_REFERER, and it can be spoofed anyway.

It would be better to not have to run javascript or php, but is what we’re after even possible without scripting?

If not, is there a way to do this using only javascript in such a way that another website can’t spoof their way into downloading the file?

If there’s not, how would you approach it using PHP?

In short, no. The only reliable information you have is the IP address that requested the image, but even that may be a proxy. There’s no reliable way to figure out what context an image was requested in (i.e. which HTML page the image is embedded in).

What you want is to allow only certain people to access the image. There are two ways to do that:

• filter by requesting IP address if that is known
• require an authenticated session/cookie/Authorization header, i.e. password protect the image

If your webserver supports either of these checks (virtually any server can filter requests by IP), there’s no need for scripting. For password authentication you may have to use scripting, depending on how exactly it should work.

(Client-side) Javascript won’t be of any use here at all.

Do you have any influence over the approved companies’ web apps? If so, I can think of two ways you can accomplish this.

Using your foo/bar examples, where bar.com is your server, and foo.com is one of your approved companies:

1) Instead of the browser making a request to your server, have them make a request to an image handler on foo.com, which in turn makes a HTTP request to your server behind the scenes and returns the image contents back to the client. Foo’s outgoing IP address would be on a white-list on your server, so all requests are actually coming from Foo’s IP address. The client would see:

2) Much more difficult, but if Foo cannot make the request to your servers, Foo can put a special hash in the query string of the image tag so that when the browser makes a request to your server, you’ll know that the URL was built by Foo. You’ll need a private key on Foo’s server so that it can calculate the hash.

I’d guess the hash would be calculated based on a combination of the brower’s IP address, current date/time, and the private key.

So the browser would make a request to foo.com/default.php, and Foo would build the following image tag for the browser:

where that number represents the appropriate hash. In Bar’s image handler code, you’ll need to re-calculate that hash based on the private key which is only known to Foo and Bar, the IP address which is part of the GET request, and the current date/time. If the hash matches, then you can be pretty sure that the browser is looking at foo.com’s website, and you can return the image contents.

What is the modern way to check if user is requesting, You can use Exits.IsTor in datastore.go to determine whether the request comes from tor. You need to change var DefaultTarget = AddressPort <"38.229.72.22", 443>to your server’s IP address and port. You will also need some interface written in Go if you are using PHP if you want to use their code.

Check if server running script?

Hello I have a script that does the following:

which happens on index.php?reloadImages

I now have an ajax request to update based on those images:

$('#ImageDiv').load('index.php?reloadImages'); 

and that works fine on loading the images, but what I need to know is if you can set a variable like

so that way it will still retrieve images when the system goes to index.php?reloadImages but not when a user navigates there via url in their web browser

First find IP address of the machine requesting the link by:

if (!empty($_SERVER['HTTP_CLIENT_IP'])) < $ip = $_SERVER['HTTP_CLIENT_IP']; >elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) < $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; >else

Now $ip is IP address of the requesting machine. And let’s say your computer IP is 123.456.789.1 (something like that)

So let’s assign it to a variable

if($ip == $server_ip && isset($_GET['reloadImages']))< echo ""; exit; > else

How to get the IP address in PHP?, It is very easy to collect the IP address in PHP. PHP provides PHP $_SERVER variable to get the user IP address easily. We can track the activities of the visitor on the website for the security purpose, or we can know that who uses my website and many more. The simplest way to collect the visitor IP address in PHP is the …

How to tell who is calling web service (PHP on Apache)

I am creating a web service using php’s SoapServer built-in class. I have run some basic tests and it seems to be working fine, but now I need to limit who can use the service.

Assuming that only other scripts on the same server are trying to consume my service, and that they would do this server-side (as opposed to with AJAX or similar means), does my service have any means of identifying the owner of the requester?

I could limit access the service to only requests coming from a specific origin, but this seems either very strict or very unreliable, depending on if I allow access to any script in a directory vs. only specific scripts.

I’m just not clear if I can limit access by the user on the server since the user that the original requesting script will be www.

here are some of your options:

1. as vivek mentioned, a key in the url could do the trick, i have used this many times, and it works nicely, and also allows you to monitor who’s consuming the service (different consumers, different keys)
2. you could restrict usage of the scripts by IP. this is like the nuke of restrictions, i’ve seen it used mostly in places where service is granted outside the original server, but where a VPN would be an overkill.
3. of course, you may require full authentication, but this has too much overhead, both in terms of programming, and in terms of usefulness.

1. if only scripts on the same server are consuming the service, why make it a service at all?
2. if you have (unrestricted) pages that consume this (restricted) service, what’s stopping anyone from scraping those pages — no matter how hard you protect the service?

You can always implement HTTP authentication against a data source of your choice. Apache has various options for doing Digest and Basic auth against a myriad of sources (we use mod_auth_mysql to secure a php webdav solution) but PHP also has good documentation about how to do it at the app level.

Why not just make the web service available on the localhost vhost?

Not completely water-tight, admittedly but relatively simple to implement.

Or on a vhost running on a firewalled port?

You could use a registration key as most famous API’s do, like weather bug.

so when a request comes in, you could check the the code and see whether the user has registered to use your API.

How To Identify The Requested Page In PHP, I decided to test it out myself. The $_SERVER[‘SCRIPT_NAME’] variable serves up the path to the requested file, even if it’s an index file, and without get parameters or anything else. The PHP documentation states this contains the path of the file, but it seems to be relative to the document root, just like PHP_SELF, … Code samplePHP_SELF: /index.php/XSS # note the XSS exploit (this is bold in browser)SCRIPT_NAME: /index.php # No exploit hereREQUEST_URI: /index.php/%3Cstrong%3EXSS%3C/strong%3Eparse_url(REQUEST_URI): /index.php/%3Cstrong%3EXSS%3C/strong%3E__FILE__: /var/www/pathtest.phpFeedback

Источник