...

View Full Version : Referring URL



pyius
03-11-2005, 06:21 PM
I've made an upload script, but I don't want people to just upload using an external website that links to mine.

Is there anyway to disable this? Such as looking at a referring URL and making sure it's coming from my file or site or something?


Thanks,
--pyius

devinemke
03-11-2005, 06:28 PM
though not very reliable, you could use $_SERVER['HTTP_REFERER']

Kurashu
03-11-2005, 06:47 PM
Use a visual security code (like when you sign up for a free email account or an AIM account).

I'm not sure how to set one up, but I'm sure some one here does.

pyius
03-11-2005, 06:58 PM
I've already tried the $_SERVER['HTML_REFERER'] variable, and there are no variables in phpinfo() that I could use to get referring file.

The only thing I've got right now is a session variable. It works for now, and it disables the use of using a form to go to my site, however, if you refresh the page, then it resends the file and it gets pass my SESSION variable.

Is there a way to set the session variable to set whenever you click Submit or something?


Thanks,
--pyius

Kurashu
03-11-2005, 07:12 PM
Use this:


$_SESSION['varname'] = $_POST['varname'];

pyius
03-11-2005, 07:31 PM
That won't work, because they can set my session variables via a form script. I Think I may have thought of something that may work, I'll test it and and post back.


--pyius

Fou-Lu
03-11-2005, 07:34 PM
I'm confused by what your script does. I mean, its an upload script thats function is to upload only from your site? Or do you mean you don't want other sites linking to your upload script allowing their users to create files on your server?
Your use of sessions is your best route, create a simple validation for it, perhaps a small login system, etc. You could use the referrer, but thats not exactly reliable since it can be modified. Sooo... yeah, go with the sessions. But whatever you make of it, do not create a hidden field through your form. That would just allow your variables to be identified y'know, lol.


Got in there before me ;)
You can get around the problem of the session setting by creating a form on one script and the upload on another. The only way they can set the session variables that are required is if they remote linked your site through an iframe, or have followed a link.

pyius
03-11-2005, 08:05 PM
First of all, the page is a public uploading site (ezupload.org). It's a pretty good website so far. And I'm adding more features daily. You upload a file, and based on the content-type (not the extension), it finds out if it should be an image or file and sets the maxfiletype accordingly.


Well, I did go through sessions. At first I thought it would work, and in theory it should, however, it wasn't.

What I did do (which I thought was a really good idea) was something like:


<script language="JavaScript">
function post() {
<?php
$_SESSION['uploading_from_site'] = "1";
?>
}
</script>

<form onSubmit="post()">

And with that, they couldn't see what the post() script did, so I thought it would work, however, the session stayed or something. I'm not sure exactly.

So what I did do is create a hidden field. However, the catch is that the field is based on an MD5 encryption that changes with date (amongst other things), so that if they did decide to copy/paste my code, they would have to change it daily. I think that will work for now until I can find a better way.


Another question, is there a way to clear the "cache" for the current page. I mean, if I upload a file, if you click refresh, it will ask to send the info again and re-upload another file (which I don't want it to do).


--pyius

4xz
03-11-2005, 08:28 PM
Using php code to restrict access to files on your site is only usefull in 2 cases :
1) Files are stored as binary data in the database.
2) Files are stored outside the world-visible part of your webserver.

In both cases a script should show the files to the outside world. This script can then be used to restrict access....

In most other cases, where the files are stored on the filesystem, the only way to restrict deeplinking is to work with .htaccess files or edit the webserverconfiguration files.

pyius
03-11-2005, 08:58 PM
It's a public uploading service. Meaning, if you need to host an image (like imageshack.us) than you just upload it and it gives you a direct url in which you can post in your BLOG or Website. If you needed up upload a file, than it gives you a link to where it will go to my site in which you just click download to download the file.

I'm not trying to restrict access to files, I'm trying to make it, so if you want to upload, than you have to go straight to my site to upload, rather than going to another website and using their form for my uploading service.

The file is located in a database along with an assigned ID number to match the file.


--pyius

Fou-Lu
03-12-2005, 04:52 AM
Hmm.
Yeah, the javascript function wouldn't work as sessions cannot be altered on client side, the request needs to go to the server.
What I mean, is that when people create their own forms, they would link them to your site:


<form action="http://youruploadsite.com/youruploadscript.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" />
<input type="submit" value="Upload" />
</form>

Now, my suggestion would be to seperate your actual form, and send it to your upload script, something simple:


<?php
session_start();

$_SESSION['atform'] = 1;

?>
<form action="./upload.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" />
<input type="submit" value="Upload" />

Then send this to your upload script:


<?php
session_start();

if (!isset($_SESSION['atform']))
{
header("Location:./form.php");
}
else
{
// Your upload process.
unset($_SESSION['atform']);
}
?>

You could do more with this as well, but thats probably about the most reliable way you can do it without switching to something secure. The first file will set the session variable, while the second will access it. If it doesn't find the file, you will need to send the user back to the form. Another good option would be to create users where they need to log in. That could help for your purposes.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum