Referer check for click validation

[jido]

Hi

I have the following snippet in my script as a simple fraud prevention device, to avoid counting clicks that do not originate from the same website. What are your comments on it?

function check_referer()
{
	$ref = $_SERVER['HTTP_REFERER'];
	$domain = $_SERVER['SERVER_NAME'];
	return (preg_match("/^http:\/\/$domain/", $ref) == 1);
}

I suspect that some browsers do not provide the HTTP_REFERER header, which causes clicks to be ignored when they could be counted. On the other hand quite a few of the clicks seem to come from same domain IPs, so the device may fulfill its function well enough.

Do you use anything similar on your site?

 

[xrvel]

What about this ? Add an "i" in preg_match.:

function check_referer() {
    $ref = $_SERVER['HTTP_REFERER'];
    $domain = $_SERVER['SERVER_NAME'];
    return (preg_match("/^http:\/\/$domain/i", $ref) == 1);
}

Btw, what kind of website it is?

 

[jido]

Thanks, I added your suggestion.

Nothing exciting it is a site listing for online estimates: http://nestimates.com
Good experimental ground for some of my ideas though

 

[xrvel]

Other method you can use is creating a link with unique id.

Preparing the functions...

function is_valid_click() {
   if (!isset($_GET['stamp'])) {
      return(false);
   }
   if (!isset($_GET['hash'])) {
      return(false);
   }
   $stamp = $_GET['stamp'];// time stamp
   $hash = $_GET['hash'];// hashed time stamp
   if ($stamp < time() - 3600) {// old link
      return(false);
   }
   return( ($hash == mycrypt($stamp)) );// check hash
}

function mycrypt($s) {
  return(md5('unique' . $s . 'id'));
}

Generate the link

$now = time();
$hashed = mycrypt($now);
$link = '?redirect=http://google.com&stamp=' . $now . '&hash='. $hashed;

echo("<a href=\"$link\" > click </a>");

Checking the clicks

if (! is_valid_click()) {
   echo('Do not click this link from any website but nestimates.com');
} else {
   // redirect here
}