TalkPHP - View Single Post - How do I get the url to stay the same when using a redirect script?

WebSavvy · 04-03-2009, 01:01 AM

You're welcome. :)

$HTTP_REFERER won't always count your own page as the referrer within the domain. That's why it's not foolproof.

Spammers & script hijackers have ways of faking the referrer by spoofing the headers. That's the same problem I had with the guy that had the automated rank checking software.

I used HTTP REFERER in my script and it wasn't supposed to allow any query strings to pass unless they originated from within my site. So, he added header spoofing to his program and bypassed my internal script security.

Using a redirect that doesn't send a 301 header is not a good idea. There's a well-known issue with 302 hijackings.

If you're not familiar with it, please allow me to explain it. Blackhats (I'm sure you know what they are) look for ways to "steal PR" from other sites. They do this by putting a redirect page up on their site. The redirect sends a 302 header. They point this at the root (index) of a site with high PR.

A 302 header will tell the SEs "index MY page over THERE for a while", and then they later remove the redirect, and the PR that belonged to the domain they pointed it at, now also is shared by their own page.

Seriously, they really do do this. I own a web directory and there was one domain in my index that belonged to a Blackhat (which I didn't know at the time). But, anyway -- this guy 302'd his site to Google.com!

I'm not kidding. He thought he was going to end up with a PR10 on his site after the redirect was removed. Of course, I told my friend that works in Google spam team about this, and they took care of it in short order.

Another guy owned this one site that he wasn't doing anything with for a while, so he 302'd it to a .gov domain that had a PR8. Then after the next google PR update came through, he removed the redirect on his domain and low & behold, his site too now had a PR8 when prior to that it was a PR3 with the same lousy 5 backlinks he had before.

You can disallow the redirect script in robots.txt but it's also better if you use a script that sends a 301 header. Pulling the urls from the db just adds extra insurance your script won't be abused by outsiders.

I do the very same thing on my site as I've outlined for you. I've been doing it this way now for about 3 years and haven't had any problems with my script being abused by anyone -- and the only links coming from it, are ones I allow to be there.

I'm not sure how well I answered your question, but if you still need anything else clarified, please feel free to ask.

04-03-2009, 01:01 AM	#18 (permalink)
WebSavvy The Contributor Join Date: Mar 2009 Location: Springfield, IL USA Posts: 75 Thanks: 3	You're welcome. :) $HTTP_REFERER won't always count your own page as the referrer within the domain. That's why it's not foolproof. Spammers & script hijackers have ways of faking the referrer by spoofing the headers. That's the same problem I had with the guy that had the automated rank checking software. I used HTTP REFERER in my script and it wasn't supposed to allow any query strings to pass unless they originated from within my site. So, he added header spoofing to his program and bypassed my internal script security. Using a redirect that doesn't send a 301 header is not a good idea. There's a well-known issue with 302 hijackings. If you're not familiar with it, please allow me to explain it. Blackhats (I'm sure you know what they are) look for ways to "steal PR" from other sites. They do this by putting a redirect page up on their site. The redirect sends a 302 header. They point this at the root (index) of a site with high PR. A 302 header will tell the SEs "index MY page over THERE for a while", and then they later remove the redirect, and the PR that belonged to the domain they pointed it at, now also is shared by their own page. Seriously, they really do do this. I own a web directory and there was one domain in my index that belonged to a Blackhat (which I didn't know at the time). But, anyway -- this guy 302'd his site to Google.com! I'm not kidding. He thought he was going to end up with a PR10 on his site after the redirect was removed. Of course, I told my friend that works in Google spam team about this, and they took care of it in short order. Another guy owned this one site that he wasn't doing anything with for a while, so he 302'd it to a .gov domain that had a PR8. Then after the next google PR update came through, he removed the redirect on his domain and low & behold, his site too now had a PR8 when prior to that it was a PR3 with the same lousy 5 backlinks he had before. You can disallow the redirect script in robots.txt but it's also better if you use a script that sends a 301 header. Pulling the urls from the db just adds extra insurance your script won't be abused by outsiders. I do the very same thing on my site as I've outlined for you. I've been doing it this way now for about 3 years and haven't had any problems with my script being abused by anyone -- and the only links coming from it, are ones I allow to be there. I'm not sure how well I answered your question, but if you still need anything else clarified, please feel free to ask.