The Little Guy Posted September 18, 2008 Share Posted September 18, 2008 I have this code on my site: <script type="text/javascript"> var idNum = '5'; var projectID = '8'; var projectCode = 'kfhf8fdke4' </script><script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script> It is a way for me to track information about people that come to the page the user is on. It links to a JavaScript that starts up some PHP on my server. Now if you were to look at my source code, grab that code, and place it on your site, my sites stats would be off because it would now also be counting views from your site and my site. When a user signs up, they give me their sites main domain/sub-domain: http://mysite.com, http://example.com, http://somesite.com, etc. and it is stored in my database. So what would the best way in my PHP and/or JavaScript to secure that ONLY requests made are from the domain that they gave me? Quote Link to comment Share on other sites More sharing options...
waynewex Posted September 19, 2008 Share Posted September 19, 2008 Maybe sessions could be used? Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 How do you mean? Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 19, 2008 Share Posted September 19, 2008 You're going to be relying entirely on client side data.... In your JS file you can use location.hostname to get the domain according to the client. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 I am using an htaccess, file, so when ever my "Main" JavaScript file is accessed, it is actually being ran through a PHP file, and if there is no Referrer, it gives an error other wise it returns JavaScript. I guess we can call that a "Hidden redirect". In the PHP file, can we do some stuff? Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 19, 2008 Share Posted September 19, 2008 Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain. the problem with that is, that is some domains have dynamic ip addresses. Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 19, 2008 Share Posted September 19, 2008 Well you could always make a ping/DNS script with php, this way it will ping the acclaimed domain, return the ip address, and then check it against the server['remote_addr'] (caps of course lol). Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 What would I be checking? The ip i saved in the database? Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 19, 2008 Share Posted September 19, 2008 Well if you know that some of the domains are going to be dynamic ips, I would either run a script on all the domains in the database on like an hourly or bi-hourly type of thing to make sure they are all current and working domain names. Or I would run a check per domain per request. But after thinking it through a little bit more.. I would also check the referrer in the server array. Hmm sorry I am kinda drawing some blanks at the moment, kinda busy lol Why do you use all three of the vars? ... Could you possibly take it down to like 1 var being sent? Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 19, 2008 Share Posted September 19, 2008 It doesn't matter, the web server isn't the one executing your javascript, it's the client. Do what google does <script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script> <script type="text/javascript"> <!-- yourTrackingFunction('their.domain.com'); // --> </script> Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 if i do it like that, will they be able to edit the JavaScript that is on my server? Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 19, 2008 Share Posted September 19, 2008 Well, you're going to have to sanitize that argument, yes... but I'm not sure how one would physically change the hard-coded javascript on your server. This can be abused and manipulated. Your best bet is to verify the host with location.hostname, then check to see if it exists in your tracking list, then increment the counter You're still relying entirely on client-side data though, so all of this can be manipluated and your results can be skewed... but this is a hit counter... someone would have to be really bored to hit F5 a shitload of times... and if this ever happens, simply make it harder putting a hit limit per IP in a certain time frame, forcing them to change IPs intermittently. Sounds like too much work to 'cheat' a hit counter. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted September 19, 2008 Author Share Posted September 19, 2008 OK, here is what I have now... I use JavaScript, to pass a variable of the domain through a GET to my PHP, my PHP then looks up the domain address that the user gave me at registration, then matches the one in the database against the one passed through the get. if they match, it adds some stats about the user, if it doesn't match, then it doesn't store stats about the user. Any thing else I could/should do? Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 19, 2008 Share Posted September 19, 2008 Not much else you can check unless you expect it to be abused a certain way. If you notice it is, then implement another check to make it harder to abuse. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.