Http referer Check Script
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Http referer Check Script

  1. #1
    Banned
    Join Date
    Nov 2003
    Posts
    68

    Http referer Check Script

    i hope if u can help me doing this
    i have found what i want whitch is A referer check Script for Protecting downloads

    here is the Script :

    PHP Code:
    <?php

    ///////////////////////////////////////////////
    //                                           //
    // Download Protector v 1.1                  //
    // ----------------------------------------- //
    // by Graeme (webmaster@phpscriptcenter.com) //
    // [url]http://www.phpscriptcenter.com[/url]            //
    //                                           //////////////////////////////
    // PHP Script CENTER offers no warranties on this script.                //
    // The owner/licensee of the script is solely responsible for any        //
    // problems caused by installation of the script or use of the script    //
    //                                                                       //
    // All copyright notices regarding Download Protector, must remain       //
    // intact on the scripts and in the HTML for the scripts.                //
    //                                                                       //
    // (c) Copyright 2001 PHP Script CENTER                                  //
    //                                                                       //
    // For more info on Download Protector,                                  //
    // see [url]http://www.phpscriptcenter.com/downloadprotector.php[/url]              //
    //                                                                       //
    ///////////////////////////////////////////////////////////////////////////

    $ADMIN[defaulturl] = "http://phpscriptcenter.com";

    $okaysites = array("http://phpscriptcenter.com","http://www.phpscriptcenter.com");    

    $ADMIN[url_1] = "http://www.phpscriptcenter.com/download.php3?product=";
    $ADMIN[url_2] = "http://downloads.com";
    $ADMIN[url_3] = "http://downloads.com/new";

    //////////////////////////////////////////////////////

    $reffer $HTTP_REFERER;
    if(
    $reffer) {
    $yes 0;
    while(list(
    $domain$subarray) = each($okaysites)) {
    if (
    ereg("$reffer",$subarray)) {
    $yes 1;
    }
    }
    $theu "url"."_"."$site";
    if (
    $ADMIN[$theu] AND $yes == 1) {
    header("Location: $ADMIN[$theu]/$file");
    } else {
    header("Location: $ADMIN[defaulturl]");
    }
    } else {
    header("Location: $ADMIN[defaulturl]");
    }

    ?&
    gt
    The Script Check if the referer is one of the arrays which is :
    $okaysites = array("http://phpscriptcenter.com","http://www.phpscriptcenter.com");
    but fairly that doesn't work. the script didn't work with me Until i make the referer check for a specific Webpage for example :
    http://phpscriptcentre.com/url.html << if the link was Pressed from there it will Pass else it will redirect to the Chosen site
    it didn't work also for a Forum topic i put the referer to check with the thread id but it didn't work
    ..............................................
    all what i want how to make the Script pass allllll links opened from my domain www.domain.com
    or i have another idea instead of checking the Exact referer can anybody Edit the code to check if the referer contain a (Word) which is my Domain name like www.mysite.com
    so the script check if the referer contain mysite if yes Continue <<<

    thx in advance

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    It generally isn't a good idea to rely on the HTTP_REFERER field since it is a header set by the browser, and thus can be readily modified. Even the PHP manual discourages this kind of use:
    From: http://ca3.php.net/manual/en/reserve...riables.server
    'HTTP_REFERER'
    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
    Ideally you would come up with a server side solution (database record, etc) tracking what pages were visited previously on your site (or even just the last page they visited) and then determine if it's a valid referer to the script you are trying to protect. I'll leave it to you to examine such a system, but I did want to make you aware that it's pretty easy to break the system you propose.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  3. #3
    You may be able to use http://us2.php.net/function.strstr to check for your domain name in the referrer field.

    This kind of thing is usually used to protect hotlinking, so unless they want their content to be private a script like this should suffice. (Unless you can edit the referer field in a hyperlink, which I don't think is possible)

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    It *should* be covered by the line:
    PHP Code:
    if (ereg("$reffer",$subarray)) {
    $yes 1;

    ereg() is PHP's Regular Expression function. It looks for $reffer in $subarray.

    ...

    Example:
    Allowed: domain.com
    Reffer: domain.com/view?thread=xxx

    Is Reffer in Allowed? (Can domain.com/view?thread=xxx be found within domain.com) Nope!


    Hrm...the program is obviously misprogrammed


    I wonder if it should be this:
    PHP Code:
    if (ereg($subarray"$reffer")) {
    $yes 1;

    or even:
    PHP Code:
    if (ereg($subarray$reffer)) {
    $yes 1;



    I think the original code had an error. Try one of the corrections. Good luck.

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Referrer information isn't always available in the http request. Using it is kind of tarded.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Banned
    Join Date
    Nov 2003
    Posts
    68
    well thanks guys for all your comments...
    thx Tim_axe >>>>>> You Are RIGHT that was the mistake...
    i used

    if (ereg($subarray, "$reffer")) {
    $yes = 1;
    }

    and it worked within checking the domain
    for who say that using referer check is not good way.. plz tell me how to protect Download Hotlinking..

  7. #7
    Banned
    Join Date
    Nov 2003
    Posts
    68
    Guyz the script works well now.. but there is a problem
    if the Downloader Knew the Real URL which the Script redirect to it after the referer check
    it will be so easy to download without using the Script so all screwed UP..
    well knowing the real url is not Impossible but the only way that I found it..
    when using a Download manager like Download Accelerator it gets the REAL URL..
    so i used htaccess toavoid that.
    but i need to do that with the Script !!
    any comments !?

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Checkout http://www.hotscripts.com/PHP/Script...ems/index.html for some scripts that do something similar to what you're looking for. Instead of redirecting to the file, they upload the file through themselves without revealing the real URL. Or at least that is what this section of that website is supposed to list...

  9. #9
    Banned
    Join Date
    Nov 2003
    Posts
    68
    well i just need a simple trick to Hide the URL...

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    There isn't a simple trick to hide the URL -- if they can download it without the script it will probably happen. And since your script just redirects to the real URL, it is out of your hands once they figure it out.

    If you want to use .htaccess, you could use the mod_rewrite to pass arguments to another script that acturally serves the file. If you are creative, you could make "example.com/file.zip" pass "file.zip" to a script "download.php" as the argument of the file it should upload (which could be hidden in some place like example.com/hidden/file.zip) and the referrer check could happen here. (If you want to try this, checkout the link I provided above)

    But otherwise, it isn't too difficult to get to the real URL. As to why someone might want to try to link stuff from your website, that is another issue, and you have to decide if protecting it is worth this much trouble or not...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •