PHP referer url and redirect

Question

I can't seem to work out why the below sends ALL traffic to the page-not-found page, even if referred by Paypal. Any ideas?

$refererUrl = $_SERVER['HTTP_REFERER'];
$Exploded = explode("/",$refererUrl);
$urlToCheck = $Exploded[3];
$findURL = strpos($urlToCheck,'paypal.com');
if($findURL === false){
    header('location:/page-not-found');
} else  {
/* Do something if page referred to by Paypal */
}

Answer 1

You are checking if 'paypal.com' is present in $Exploded[3]. Why do you expect that part of the referer url to be the hostname? Array indexes start at 0, so counting from left to right would give you the following, indicating that 2 would be the correct index.

$Exploded = explode('http://www.google.com/?q=foobar', '/');

// $Exploded now contains:
0: http:
1: 
2: www.google.com
3: ?q=foobar

However, it would be more safe to use some utility that will parse arbitrary URLs and read the hostname from the interpreted url. You could do something like this (untested):

$referer = parse_url($_SERVER['HTTP_REFERER']);
if($referer['host'] != 'paypal.com')
    header('location:/page-not-found');
else
    /* Do something if page referred to by Paypal */

parse_url doc: http://php.net/manual/en/function.parse-url.php

Answer 2

Is it correct?

$urlToCheck = $Exploded[3];

If your reffer looks like http://www.example.com/.... the by exploding by "/" you will never got domain in 3rd index. It should be 2.

Try using

$urlToCheck = $Exploded[2];

Answer 3

Are you sure that HTTP_REFERER is set? If you have a look at the documentation it says

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.