Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts

    Question if !in_array "allow" or "deny" ?

    I have 4 pages setup with this code below, deny.php doesn't have it.
    It's not working like it's ment to, it keeps going deny.php.
    PHP Code:
    $referer $_SERVER['HTTP_REFERER'];
    $fromURL = array("1.php","2.php","3.php","4.php");
    if(!
    in_array($referer,$fromURL)) {
    header('Location: deny.php');
    exit;

    Any ideas on how to verify that you are from the pages from within the site?
    This code is so bad it's actually an embarrasment.

    Cheers
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    You're right, you should be embarrased
    I'm just kidding. Its close. I'm about 95% certain that HTTP_REFERER includes all the url information. So, use parse_url to get just the targetted script name.

    This isn't a great great method though. The problem with it is that a proxy can be used with the same page names, and would validate to true. Instead, consider using sessions to verify that pages are from the current site. If you set a $_SESSION['curpage'] to always equal $_SERVER['SCRIPT_NAME'] somewhere on a load, then when you hit this page it will contain the previous call to SCRIPT_NAME (which should correspond with one of you're pages in the array).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    So I could use this?
    PHP Code:
    $page basename($_SERVER['SCRIPT_NAME']); 
    $page explode("."$page);
    $page strtolower($page[0]);
    $_SESSION['curpage'] = $page
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Lessee, yeah that looks like it would work. Then use $_SESSION['curpage'] as the value on the next page.
    Instead of using basename + explode, consider using pathinfo instead.
    PHP Code:
    $page pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_BASENAME); 
    Something like that.

    Edit:
    Oh yeah, I should mention. SCRIPT_NAME refers to the executing script, not the specific file:
    PHP Code:
    // include.php
    print $_SERVER['SCRIPT_NAME'];

    // Index:
    require 'include.php'// Prints index.php, not include.php 
    This is likely what you're wanting to do.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    Forgive me for not fully understanding...
    PHP Code:
    $referer $_SERVER['HTTP_REFERER']; // this goes or stays
    $fromURL = array("1.php","2.php","3.php","4.php"); //these change or not?
    if(!in_array($referer,$fromURL)) {
    header('Location: deny.php');
    exit;

    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Going from the session side?
    PHP Code:
    <?php
    session_start
    ();
    $page = isset($_SESSION['curpage']) ? $_SESSION['curpage'] : '';
    $aAllowed = array("1.php","2.php","3.php","4.php");
    if (!
    in_array($page$aAllowed))
    {
        
    header("Location: deny.php");
        exit();
    }

    ?>
    This assumes that curpage is set successfully into the session(s) from the refering page.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #7
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    Based on that;
    PHP Code:
    <?php
    session_start
    ();
    $page pathinfo($_SERVER['SCRIPT_NAME'], PATHINFO_BASENAME); //just added this in to test
    //$page = isset($_SESSION['curpage']) ? $_SESSION['curpage'] : ''; //this must come out to work
    $aAllowed = array("1.php","2.php","3.php","4.php");
    if (!
    in_array($page$aAllowed)){
    header("Location: deny.php");
    exit();
    }
    ?>

    <a href="1.php">link1</a> <a href="2.php">link2</a> <a href="3.php">link3</a> <a href="4.php">link4</a>
    Each clicked link goes to deny.php is that right?
    Last edited by student101; 03-13-2009 at 11:51 AM.
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    You don't want to set the $page on this one (sorry, in the way that you are using it). For this, you'd use the $_SERVER['HTTP_REFERER'] instead of the $_SERVER['SCRIPT_NAME']. The script name would be used in conjunction with the $_SESSION to set the session value on the previous page (before loading this one).
    With the links at the bottom of this page, it looks like this isn't quite what you want to do. Once you click one of those links, the referer and the script name will become whatever __FILE__ is (so whatever the name of this script is).
    Does that make sense?
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #9
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    Sort of...
    This $_SERVER['SCRIPT_NAME'] works better than SERVER['HTTP_REFERER']
    I may have explained wrong.

    When opening a web site, say "example.com"
    Clicking on any link in "example.com" must be validated against other links/pages that exist in that site, otherwise denied.

    I am trying to get rid of human/bot comment spammers.
    Unless these bots can click links they are denied.

    I hope what I am saying makes sense.
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Bots can be told (and are supposed to adhere) to not follow any links.
    The problem is, none of this actually prevents this. The idea of checking the referrer is to ensure that the request is made just from you're site, and not from another. This technique tends to be used more often for forms though.

    This all depends a lot on what you're allowing from you're users. If you force a user login system, then only those users should be able to say post comments. If you want anonymous users, a captcha often does the trick.
    The biggest problem with the $_SERVER superglobal is that most of it can be altered by the browsing user. The REMOTE_ADDR, HTTP_REFERER, CONTENT_TYPE, all sorts of things, so its not overly reliable.

    Could you try to explain sort of what you're trying to achieve in a usecase or sequence style? (User clicks on 'Control Panel', we want to check if they have access, for example). I'm just trying to figure out exactly what you're trying to do.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #11
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    I'll try my best.
    I followed a tutorial on how to build a link exchange system.
    To add a link you click on or open the submission page with a link.

    Everyday I get about 5 or so dummy links, they are added to pages for other bots to harvest. (I must have did someone in for this to happen)
    I have tried two separate captcha systems which work wonders on my other sites.
    I have tried: renaming pages/forms/inputs even password protecting the page, still no luck.

    Do you need more info? //that was a stupid question
    Edit: If anyone adds a link from example.com or example.com/links, Unless they came from my site or are allowed they are denied with a 403 : Forbidden
    Last edited by student101; 03-13-2009 at 12:36 PM.
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Is you're edit what is currently happening, or what you'd like to happen?

    Sounds like you're just getting spammed. We get that a lot on the forums here - last night I banned 3 accounts and cleaned up about 10 - 15 posts. Jeremy was online too, and doing some of his own cleaning from the looks of it.
    If the links are dummy links, you can probably try to curl them first for a head. If it succeeds, its likely a real site, otherwise, I'd just deny. I'm a little curious of whats happening, can you post a link for the tutorial you followed?
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #13
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    I would like that to happen.

    Each page would need the code or even the .htacces would allow or disallow based on input added by me.

    It seems like a complicated method but I think that each site should have an access list of sorts.
    If you ask nicely and follow the rules you get in, otherwise no.

    Edit:
    Forgot the link.
    link exchange tut

    I test my .htaccess with this tester
    Last edited by student101; 03-13-2009 at 12:55 PM.
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:

  • #14
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    I'll check the links out when I get home (getting close to ending work, so I guess I gotta do some work).
    Until then, here is a link I found for combating spam with .htaccess:
    http://codex.wordpress.org/Combating...Denying_Access

    That may be of some help. Looks like its intention is to directly protect the posted to script.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • Users who have thanked Fou-Lu for this post:

    student101 (03-13-2009)

  • #15
    Regular Coder student101's Avatar
    Join Date
    Nov 2007
    Posts
    634
    Thanks
    80
    Thanked 15 Times in 15 Posts
    Usign this in the mean time; too bad it's not dynamic!
    Code:
    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} anotherbadsite\.com
    RewriteRule .* - [F]
    That one seems better than mine, thanks for your time here Fou-Lu
    Thanks for your support!
    Update MySQL with checkboxes | Tell A Friend | Delete MySQL with checkboxes

    Give thanks & resolve when done :thumbsup:


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •