Jump to content

Securing Editable Code

The Little Guy

By The Little Guy
in PHP Coding Help

 Share

Recommended Posts

The Little Guy Prolific Member

The Little Guy

Posted
Posted

I have this code on my site:

<script type="text/javascript">
var idNum = '5';
var projectID = '8';
var projectCode = 'kfhf8fdke4'
</script><script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script>

 

It is a way for me to track information about people that come to the page the user is on.

 

It links to a JavaScript that starts up some PHP on my server.

 

Now if you were to look at my source code, grab that code, and place it on your site, my sites stats would be off because it would now also be counting views from your site and my site.

 

When a user signs up, they give me their sites main domain/sub-domain: http://mysite.com, http://example.com, http://somesite.com, etc. and it is stored in my database.

 

So what would the best way in my PHP and/or JavaScript to secure that ONLY requests made are from the domain that they gave me?

Link to comment
Share on other sites
burn1337 Newbie

burn1337

Posted
Posted

Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain.

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
  • Author
Posted

Well I would check that the ip is correct, I would record the ip from the sub/domain, most domains will probably be running on static-ip's where as sub-domains are more likely to be dynamic(*theoretically). From there just check the $_SERVER['REMOTE_ADDR'] make sure it is the same ip as recorded for the sub/domain.

 

the problem with that is, that is some domains have dynamic ip addresses.

Link to comment
Share on other sites
burn1337 Newbie

burn1337

Posted
Posted

Well if you know that some of the domains are going to be dynamic ips, I would either run a script on all the domains in the database on like an hourly or bi-hourly type of thing to make sure they are all current and working domain names. Or I would run a check per domain per request. But after thinking it through a little bit more.. I would also check the referrer in the server array. Hmm sorry I am kinda drawing some blanks at the moment, kinda busy lol

Why do you use all three of the vars? ... Could you possibly take it down to like 1 var being sent?

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

It doesn't matter, the web server isn't the one executing your javascript, it's the client. Do what google does

 

<script type="text/javascript" src="http://dudeel.com/statistics/javascripts/stats.js"></script>
<script type="text/javascript">
<!--
    yourTrackingFunction('their.domain.com');
// -->
</script>

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Well, you're going to have to sanitize that argument, yes... but I'm not sure how one would physically change the hard-coded javascript on your server.

 

This can be abused and manipulated. Your best bet is to verify the host with location.hostname, then check to see if it exists in your tracking list, then increment the counter :)

 

You're still relying entirely on client-side data though, so all of this can be manipluated and your results can be skewed... but this is a hit counter... someone would have to be really bored to hit F5 a shitload of times... and if this ever happens, simply make it harder putting a hit limit per IP in a certain time frame, forcing them to change IPs intermittently. Sounds like too much work to 'cheat' a hit counter.

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
  • Author
Posted

OK, here is what I have now...

 

I use JavaScript, to pass a variable of the domain through a GET to my PHP, my PHP then looks up the domain address that the user gave me at registration, then matches the one in the database against the one passed through the get.

 

if they match, it adds some stats about the user, if it doesn't match, then it doesn't store stats about the user.

 

Any thing else I could/should do?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.