disabling script by identifing http_referer

[asmith]

Hi,

 

I have this script on my main site:

mainsite.com/download.php?id=100

 

by clicking on it, site updates mysql -> downloded = downloaded + 1

but the file to download is on other site, so something like this:

 

header('location http://www.site2.com/download.php?id=100');

 

this seems to work. but the user can find out that his file is getting downloaded from the second site. so he can access 'http://www.site2.com/download.php?id=100' without having to click on the first site.

 

I thought about using $_SERVER['http_referer'] so that in the second site, only if http_referer is set to first site, then it allow the download.

But header('location http://www.site2.com/download.php?id=100'); doesn't send http_referer since it is sent by the browser not server.

 

Any idea about this?

Thanks for your time

[brianlange]

When the user clicks on mainsite.com/download.php?id=100 a random md5 hash is stored in a database table that corresponds to the id 100.

The url for on the main site will look like  mainsite.com/download.php?id=86b7405c2efdf058ffd2b7e7b8f30256

Site2.com will be able to look up the hash and identify the id as 100.

If the user tries to click on the url more than once on site2.com it wont work because the record in the db will be flagged as having been used.

 

Maybe there is an easier way....but this will work.

$_SERVER['http_referer']  is problematic and should not be relied on.

 

 

 

 

 

[asmith]

Thanks for the reply.

 

I didn't try your way, but I'm sure it will work. The problem with it is, it is making too many connection. It is a simple download not money transactions.

 

Thanks for your effort again.