Securing Editable Code

[The Little Guy]

I have this code on my site:

<script type="text/javascript">
var idNum = '5';
var projectID = '8';
var projectCode = 'kfhf8fdke4'
</script><script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script>

 

It is a way for me to track information about people that come to the page the user is on.

 

It links to a JavaScript that starts up some PHP on my server.

 

Now if you were to look at my source code, grab that code, and place it on your site, my sites stats would be off because it would now also be counting views from your site and my site.

 

When a user signs up, they give me their sites main domain/sub-domain: http://mysite.com, http://example.com, http://somesite.com, etc. and it is stored in my database.

 

So what would the best way in my PHP and/or JavaScript to secure that ONLY requests made are from the domain that they gave me?

[waynew]

Maybe sessions could be used?

[The Little Guy]

How do you mean?

[discomatt]

You're going to be relying entirely on client side data.... In your JS file you can use location.hostname to get the domain according to the client.

[The Little Guy]

I am using an htaccess, file, so when ever my "Main" JavaScript file is accessed, it is actually being ran through a PHP file, and if there is no Referrer, it gives an error other wise it returns JavaScript. I guess we can call that a "Hidden redirect".

 

In the PHP file, can we do some stuff?

[burn1337]

Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain.

[The Little Guy]

Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain.

 

the problem with that is, that is some domains have dynamic ip addresses.

[burn1337]

Well you could always make a ping/DNS script with php, this way it will ping the acclaimed domain, return the ip address, and then check it against the server['remote_addr'] (caps of course lol).

[The Little Guy]

What would I be checking? The ip i saved in the database?

[burn1337]

Well if you know that some of the domains are going to be dynamic ips, I would either run a script on all the domains in the database on like an hourly or bi-hourly type of thing to make sure they are all current and working domain names. Or I would run a check per domain per request. But after thinking it through a little bit more.. I would also check the referrer in the server array. Hmm sorry I am kinda drawing some blanks at the moment, kinda busy lol

Why do you use all three of the vars? ... Could you possibly take it down to like 1 var being sent?

[discomatt]

It doesn't matter, the web server isn't the one executing your javascript, it's the client. Do what google does

 

<script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script>
<script type="text/javascript">
<!--
    yourTrackingFunction('their.domain.com');
// -->
</script>

[The Little Guy]

if i do it like that, will they be able to edit the JavaScript that is on my server?

[discomatt]

Well, you're going to have to sanitize that argument, yes... but I'm not sure how one would physically change the hard-coded javascript on your server.

 

This can be abused and manipulated. Your best bet is to verify the host with location.hostname, then check to see if it exists in your tracking list, then increment the counter

 

You're still relying entirely on client-side data though, so all of this can be manipluated and your results can be skewed... but this is a hit counter... someone would have to be really bored to hit F5 a shitload of times... and if this ever happens, simply make it harder putting a hit limit per IP in a certain time frame, forcing them to change IPs intermittently. Sounds like too much work to 'cheat' a hit counter.

[The Little Guy]

OK, here is what I have now...

 

I use JavaScript, to pass a variable of the domain through a GET to my PHP, my PHP then looks up the domain address that the user gave me at registration, then matches the one in the database against the one passed through the get.

 

if they match, it adds some stats about the user, if it doesn't match, then it doesn't store stats about the user.

 

Any thing else I could/should do?

[discomatt]

Not much else you can check unless you expect it to be abused a certain way.

 

If you notice it is, then implement another check to make it harder to abuse.