Reputation: 20726
PHP creating back-link with $_SERVER['HTTP_REFERER']
Is it safe to create a back link with:
$backLink = htmlentities($_SERVER['HTTP_REFERER']);
or is there a better solution?
Upvotes: 0
Views: 6537
Answers (6)
Reputation: 29993
You must be careful with htmlentities because it corrupts non-ASCII encoding. For example,
echo(htmlentities("Привет, друг!")); //Contains russian letters
is displayed as
Ïðèâåò, äðóã!
Which is of course incorrect.
Every browser sends non-ASCI chars in URLs as it wants to. Mozilla in Unicode, IE in system's current charset (Windows-1251 in Russia).
So, that might be useful to replace htmlentities with htmlspecialchars.
Upvotes: 0
Reputation: 993901
An easier way might be to do something like this:
<a href="javascript:history.back()">Go back</a>
That does not rely on the browser populating the Referer header, but instead does exactly the same thing as pressing the browser "Back" button.
This may be considered better since it actually goes back in the browser history, instead of adding the previous page to the browser history in the forward direction. It acts just as you would expect the Back button to act.
Upvotes: 5
Reputation: 47604
I think Facebook use a similar technique to redirect the user.
They use GET variable called 'from'.
Upvotes: 0
Reputation: 12821
It will work in some cases. However, you should be aware that the HTTP referer header is not guaranteed. User agents (browsers, search spoders etc) cannot be relied on to send anything, correct or not. In addition, if a user browses directly to the page, no referer header will be present. Some internet security software products even strip out the HTTP referer for "security" reasons.
If you wish to use this solution, be sure to have a fallback in place such as not showing the back link, or linking to a default start page or something (it would depend on the situation this is to be used in).
An alternative solution might be to use javascript to navigate to "history.back". This will use the browser's back/history function to return to the previous page the user was on.
Upvotes: 0
Reputation: 943981
Given that:
- The referer header is optional
- Some security software will rewrite the referer header (e.g. to XXXX:XXXXXXXX or Advert For Product)
- Linking to the referer will, at best, duplicate the built in functionality of the back button
- User's will often expect a link marked 'back' to take them to the previous page in a sequence, not to the previous page they were on
No, it isn't safe. The dangers are not great, but the benefits are tiny.
Upvotes: 0
Reputation: 16993
It's quite safe, as long as you check for its existance. In some browsers it can be turned off, and I'm not sure that it's mandatory for browsers anyhow. But the baseline is, you can't count on it existing. (RFC2616 doesn't say the referer-header must exist.)
If you really need reverse navigation, perhaps you could instead use a session variable to save the previous (current really, but only update it after displaying the back-link) page visited.
Upvotes: 2
Related Questions
- How to use $_SERVER['HTTP_REFERER'] correctly in php?
- PHP HTTP_REFERER and anchor tag href
- PHP - $_SERVER["HTTP_REFERER"];
- $_SERVER["HTTP_REFERER"] not returning full URL
- use of $_SERVER['HTTP_REFERER']
- Enable http_referer back link for own website only
- Append $_SERVER['HTTP_REFERER']
- What can I use instead of $_SERVER['HTTP_REFERER'] in PHP for consistent data regarding the referring link?
- $_SERVER['HTTP_REFERER'] is always empty - PHP
- Referer in php-