SommerNyte Posted October 30, 2006 Share Posted October 30, 2006 I hope I can explain this well enough to get some help. :)I want to check a page upon loading and make sure the referer is the same domain as what's in the DB. If the referer matches the domain in the DB, then the page is displayed. If there is not a match, then it will just display "Unauthorized Access" or something.Here is the background...I have a client web site that is a membership site. We have created a page with informational videos, and members can create a link to this page to post on their own site. Within the url of the link, the member's username is passed. The code checks the username against the database and verifies that (1) they are a member and (2) they are a member with permission to use the video page. As long as both checks pass, the page appears with the member's name, address and contact info on it.That part is all fine and dandy. However, someone COULD link to the page using another member's username in the URL, and it will work, it will just have someone else's contact info. Well, the client wants to further restrict it so that the link can ONLY come from the member's domain, and no other domains.My database contains the member's domain, so I was trying to use http_referer to check the referer against the web site stored in the DB, but I couldn't get it to work. Then I read http_referer isn't reliable and shouldn't be used. ???Is there a way I can do this, then? I realize .htaccess can be used, but because users are being added, removed and updating info, the .htaccess would always be changing and I don't know that it's possible for me to use PHP to automatically update the .htaccess every time a change is made to the DB? Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted October 30, 2006 Share Posted October 30, 2006 Ok server variable referer is very helpful. it's not meant for what you are trying to do.If you want the username already entered. Pass the username itself over to a page, and request for a password. pass the username with that page, and when they get to the processor check to make sure hte password matches there hashed and databased password. If it does it redirects them to the page or page's they have access to in the database. Better yet send them a link to login and just let them login like normal people. It jsut depend's but using referer for something like that is not very safe. Quote Link to comment Share on other sites More sharing options...
SommerNyte Posted October 30, 2006 Author Share Posted October 30, 2006 I haven't described it right, or you haven't understood. :)Let's say my client is a membership organization for artists. The artists in the organization want to sell their art to people, so they can link to a page that says why people should buy said art. It includes their contact info on each page as long as they are an active member.So it's a 3rd party accessing the page -- not the member themselves. Therefore, we don't want to password protect it -- the 3rd party viewers wouldn't know the password.Is that clearer? ??? Quote Link to comment Share on other sites More sharing options...
.josh Posted October 31, 2006 Share Posted October 31, 2006 change the chmod of the dir where the videos are stored to only the server can access it? Quote Link to comment Share on other sites More sharing options...
SommerNyte Posted October 31, 2006 Author Share Posted October 31, 2006 I'm not sure how CHMODing would help at all?There are over 200 members. Each member has a different web site they will be linking from. So when the page mysite.com/page.php?user=bob loads, it needs to look up the user "bob", make sure he's an active member (it already does this part) then check Bob's domain (stored in the DB) and make sure that the link was accessed from that domain, and no other domain. Therefore, Jim can't link to Bob's member page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.