Restricting hotlinking of pages
Posted 30 October 2006 - 11:24 PM
I want to check a page upon loading and make sure the referer is the same domain as what's in the DB. If the referer matches the domain in the DB, then the page is displayed. If there is not a match, then it will just display "Unauthorized Access" or something.
Here is the background...
I have a client web site that is a membership site. We have created a page with informational videos, and members can create a link to this page to post on their own site. Within the url of the link, the member's username is passed. The code checks the username against the database and verifies that (1) they are a member and (2) they are a member with permission to use the video page. As long as both checks pass, the page appears with the member's name, address and contact info on it.
That part is all fine and dandy. However, someone COULD link to the page using another member's username in the URL, and it will work, it will just have someone else's contact info. Well, the client wants to further restrict it so that the link can ONLY come from the member's domain, and no other domains.
My database contains the member's domain, so I was trying to use http_referer to check the referer against the web site stored in the DB, but I couldn't get it to work. Then I read http_referer isn't reliable and shouldn't be used. ???
Is there a way I can do this, then? I realize .htaccess can be used, but because users are being added, removed and updating info, the .htaccess would always be changing and I don't know that it's possible for me to use PHP to automatically update the .htaccess every time a change is made to the DB?
Posted 30 October 2006 - 11:30 PM
If you want the username already entered. Pass the username itself over to a page, and request for a password. pass the username with that page, and when they get to the processor check to make sure hte password matches there hashed and databased password. If it does it redirects them to the page or page's they have access to in the database. Better yet send them a link to login and just let them login like normal people. It jsut depend's but using referer for something like that is not very safe.
Business Website: http://www.infotechnologist.biz
Personal Website: http://www.joyelpuryear.com
Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.
Posted 30 October 2006 - 11:37 PM
Let's say my client is a membership organization for artists. The artists in the organization want to sell their art to people, so they can link to a page that says why people should buy said art. It includes their contact info on each page as long as they are an active member.
So it's a 3rd party accessing the page -- not the member themselves. Therefore, we don't want to password protect it -- the 3rd party viewers wouldn't know the password.
Is that clearer? ???
Posted 31 October 2006 - 12:47 AM
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community
Posted 31 October 2006 - 12:54 AM
There are over 200 members. Each member has a different web site they will be linking from. So when the page mysite.com/page.php?user=bob loads, it needs to look up the user "bob", make sure he's an active member (it already does this part) then check Bob's domain (stored in the DB) and make sure that the link was accessed from that domain, and no other domain. Therefore, Jim can't link to Bob's member page.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users