I have a php file that can be called or posted data to from external website.
I want to know how to actually get the real domain name where the curl post was made to my php script.
So that I can run some codes or validation on the code.
A file in examplea.com/ made a post via curl to exampleb.com/loadtext.php
Apart from having to use $_SERVER[‘REQUEST_URL’] in examplea.com post data, can i actually write some code in exampleb.com/loadtext.php and get full domain of websites posting or calling it via curl?
Well, getting the domain is hard, but you can get the IP of the server that made the request from $_SERVER['REMOTE_ADDR']. You can haul that through a reverse DNS lookup and then maybe get the domain back, but this is not guaranteed at all, since it’s not required to set up and most people don’t bother.
I know of ip, but is not unique like a domain name.
I think i should tell you what i intend to do.
I created a script that can be accessed using keys and secret word, then i want to ensure those keys are for a given domain name
Bcs is easy to use one keys and secretword for multiple domains but my intention is that only the domain assigned to that key can access it.
Validation is not the problem as i have a database to store secretkey and key and domain name.
So if is sent from a domain name rather than what is on database it throws an error.
Is there a need since ip can be changed whereas the domain is still thesame? Unless the ip you are referring to are different from the browser ip or anything which is more of internet related than domain related
It does mean i have to wait for the user to make his first call so i can savw his domain ip to the databse and subsequent calls will be validated against the ip we have on file.
Note, am i to call this
In my own script that is loadtext.php or am I to call it in the users file?
Bcs anything in the users file can be edited, but things on loadtext.php is kept in my control server and user don’t have access to it.
Not really like that, is not the type of if it doesn’t exist already add it, this will come through an initial setup process where we try your ip and once we get it we store it for subsequent use. If you didn’t go through that approval process then your call will always fail because it will never be on the database.
Is that true? I’m not sure it is. I’m pretty sure that if microsoft.com registered for your service, you might find that their domain has multiple IP addresses, before you even get on to the difference between www.microsoft.com and support.microsoft.com and all the rest. Round-robin load balancing allows a DNS server to give out different IPs for the same domain, for example, or it did last time I was looking at stuff like this.
What if the connection comes from someone who has a dynamic IP address, and has a different one each time they connect? Or what if someone on a shared connection (shared router, for example) signs up for your service, but all the other people on that shared router do not?
IP addresses are rarely a good way to track users.
There is something i need to get clear here, is ip address for internet browsers like we do have to get list of users browsing our website?
Am talking about an ip or any identifier for a specific registered domain name not visitors internet protocol, so that i can know yes this script or file is actually coming from www.fish.com or is coming from www.meat.com
If you have a look at this site - https://dns-lookup.com/microsoft.com - it will show you several IP addresses (A-records) which are all “microsoft.com”. You can look at other domain names on that web site and see what information they return. In this specific example, you see that there are five IP addresses that resolve to microsoft.com. If you look up subdomains (www, support, for example) and they have their own IP addresses, which are different from the first list.
So if you want to restrict access by domain name, you can’t necessarily restrict it to a single IP address.
Perhaps you could describe in more detail the exact scenario - where are you expecting your users to connect from? I don’t know what your project does - is it reasonable to presume that users will connect to you from the physical machine that resolves to their registered domain?
I suspect that there is a reason that very few APIs use IP addresses as part of their authentication process.
Generally speaking, if you already have an API key, I wouldn’t bother with an additional check of IP/domain/whatever. Just log the use of API keys instead. If an API key is doing a lot of requests from a lot of different IPs you can be pretty sure the key has been compromised/shared and then you can just kill that key.
Out of all security measures IP limiting is one of the worst, as you’re slowly finding out.
That’s exactly what i am made to believe, so i had to rely on manual frequency check as to know how to apply a trotle.
Am just wondering how many Api keys i could monitor per time.
I just wish certain things works the way i imagine them, but am always faced with what works and what does not exist.
You are mostly right, is either via a frequency log or by Billing per call.
Which is my last two left options.
I hate logs, some logs are resources consuming, keep track of all calls including from bots.