Jump to content


Photo

Restricting hotlinking of pages


  • Please log in to reply
4 replies to this topic

#1 SommerNyte

SommerNyte
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 30 October 2006 - 11:24 PM

I hope I can explain this well enough to get some help.  :)

I want to check a page upon loading and make sure the referer is the same domain as what's in the DB.  If the referer matches the domain in the DB, then the page is displayed.  If there is not a match, then it will just display "Unauthorized Access" or something.

Here is the background...

I have a client web site that is a membership site.  We have created a page with informational videos, and members can create a link to this page to post on their own site.  Within the url of the link, the member's username is passed.  The code checks the username against the database and verifies that (1) they are a member and (2) they are a member with permission to use the video page.  As long as both checks pass, the page appears with the member's name, address and contact info on it.

That part is all fine and dandy.  However, someone COULD link to the page using another member's username in the URL, and it will work, it will just have someone else's contact info.  Well, the client wants to further restrict it so that the link can ONLY come from the member's domain, and no other domains.

My database contains the member's domain, so I was trying to use http_referer to check the referer against the web site stored in the DB, but I couldn't get it to work.  Then I read http_referer isn't reliable and shouldn't be used.  ???

Is there a way I can do this, then?  I realize .htaccess can be used, but because users are being added, removed and updating info, the .htaccess would always be changing and I don't know that it's possible for me to use PHP to automatically update the .htaccess every time a change is made to the DB?

#2 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 30 October 2006 - 11:30 PM

Ok server variable referer is very helpful.  it's not meant for what you are trying to do.
If you want the username already entered.  Pass the username itself over to a page, and request for a password.  pass the username with that page, and when they get to the processor check to make sure hte password matches there hashed and databased password.  If it does it redirects them to the page or page's they have access to in the database.  Better yet send them a  link to login and just let them login like normal people.  It jsut depend's but using referer for something like that is not very safe.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#3 SommerNyte

SommerNyte
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 30 October 2006 - 11:37 PM

I haven't described it right, or you haven't understood.  :)

Let's say my client is a membership organization for artists.  The artists in the organization want to sell their art to people, so they can link to a page that says why people should buy said art.  It includes their contact info on each page as long as they are an active member.

So it's a 3rd party accessing the page -- not the member themselves.  Therefore, we don't want to password protect it -- the 3rd party viewers wouldn't know the password.

Is that clearer? ???

#4 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 31 October 2006 - 12:47 AM

change the chmod of the dir where the videos are stored to only the server can access it?
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#5 SommerNyte

SommerNyte
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 31 October 2006 - 12:54 AM

I'm not sure how CHMODing would help at all?

There are over 200 members.  Each member has a different web site they will be linking from.  So when the page mysite.com/page.php?user=bob loads, it needs to look up the user "bob", make sure he's an active member (it already does this part) then check Bob's domain (stored in the DB) and make sure that the link was accessed from that domain, and no other domain.  Therefore, Jim can't link to Bob's member page.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users