Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11

Thread: Referring URL

  1. #1
    New to the CF scene
    Join Date
    Mar 2005
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Referring URL

    I've made an upload script, but I don't want people to just upload using an external website that links to mine.

    Is there anyway to disable this? Such as looking at a referring URL and making sure it's coming from my file or site or something?


    Thanks,
    --pyius

  • #2
    Regular Coder devinemke's Avatar
    Join Date
    Dec 2004
    Location
    NYC
    Posts
    443
    Thanks
    0
    Thanked 12 Times in 11 Posts
    though not very reliable, you could use $_SERVER['HTTP_REFERER']

  • #3
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Use a visual security code (like when you sign up for a free email account or an AIM account).

    I'm not sure how to set one up, but I'm sure some one here does.

  • #4
    New to the CF scene
    Join Date
    Mar 2005
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've already tried the $_SERVER['HTML_REFERER'] variable, and there are no variables in phpinfo() that I could use to get referring file.

    The only thing I've got right now is a session variable. It works for now, and it disables the use of using a form to go to my site, however, if you refresh the page, then it resends the file and it gets pass my SESSION variable.

    Is there a way to set the session variable to set whenever you click Submit or something?


    Thanks,
    --pyius

  • #5
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Use this:

    PHP Code:
    $_SESSION['varname'] = $_POST['varname']; 

  • #6
    New to the CF scene
    Join Date
    Mar 2005
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    That won't work, because they can set my session variables via a form script. I Think I may have thought of something that may work, I'll test it and and post back.


    --pyius

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    I'm confused by what your script does. I mean, its an upload script thats function is to upload only from your site? Or do you mean you don't want other sites linking to your upload script allowing their users to create files on your server?
    Your use of sessions is your best route, create a simple validation for it, perhaps a small login system, etc. You could use the referrer, but thats not exactly reliable since it can be modified. Sooo... yeah, go with the sessions. But whatever you make of it, do not create a hidden field through your form. That would just allow your variables to be identified y'know, lol.

    Edit:
    Got in there before me
    You can get around the problem of the session setting by creating a form on one script and the upload on another. The only way they can set the session variables that are required is if they remote linked your site through an iframe, or have followed a link.
    Last edited by Fou-Lu; 03-11-2005 at 06:41 PM.

  • #8
    New to the CF scene
    Join Date
    Mar 2005
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    First of all, the page is a public uploading site (ezupload.org). It's a pretty good website so far. And I'm adding more features daily. You upload a file, and based on the content-type (not the extension), it finds out if it should be an image or file and sets the maxfiletype accordingly.


    Well, I did go through sessions. At first I thought it would work, and in theory it should, however, it wasn't.

    What I did do (which I thought was a really good idea) was something like:

    Code:
    <script language="JavaScript">
      function post() {
        <?php
          $_SESSION['uploading_from_site'] = "1";
        ?>
      }
    </script>
    
    <form onSubmit="post()">
    And with that, they couldn't see what the post() script did, so I thought it would work, however, the session stayed or something. I'm not sure exactly.

    So what I did do is create a hidden field. However, the catch is that the field is based on an MD5 encryption that changes with date (amongst other things), so that if they did decide to copy/paste my code, they would have to change it daily. I think that will work for now until I can find a better way.


    Another question, is there a way to clear the "cache" for the current page. I mean, if I upload a file, if you click refresh, it will ask to send the info again and re-upload another file (which I don't want it to do).


    --pyius

  • #9
    4xz
    4xz is offline
    Regular Coder
    Join Date
    Aug 2004
    Location
    localhost
    Posts
    163
    Thanks
    0
    Thanked 1 Time in 1 Post
    Using php code to restrict access to files on your site is only usefull in 2 cases :
    1) Files are stored as binary data in the database.
    2) Files are stored outside the world-visible part of your webserver.

    In both cases a script should show the files to the outside world. This script can then be used to restrict access....

    In most other cases, where the files are stored on the filesystem, the only way to restrict deeplinking is to work with .htaccess files or edit the webserverconfiguration files.

  • #10
    New to the CF scene
    Join Date
    Mar 2005
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's a public uploading service. Meaning, if you need to host an image (like imageshack.us) than you just upload it and it gives you a direct url in which you can post in your BLOG or Website. If you needed up upload a file, than it gives you a link to where it will go to my site in which you just click download to download the file.

    I'm not trying to restrict access to files, I'm trying to make it, so if you want to upload, than you have to go straight to my site to upload, rather than going to another website and using their form for my uploading service.

    The file is located in a database along with an assigned ID number to match the file.


    --pyius

  • #11
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Hmm.
    Yeah, the javascript function wouldn't work as sessions cannot be altered on client side, the request needs to go to the server.
    What I mean, is that when people create their own forms, they would link them to your site:
    Code:
    <form action="http://youruploadsite.com/youruploadscript.php" method="post" enctype="multipart/form-data">
    <input type="file" name="file" />
    <input type="submit" value="Upload" />
    </form>
    Now, my suggestion would be to seperate your actual form, and send it to your upload script, something simple:
    PHP Code:
    <?php
    session_start
    ();

    $_SESSION['atform'] = 1;

    ?>
    <form action="./upload.php" method="post" enctype="multipart/form-data">
    <input type="file" name="file" />
    <input type="submit" value="Upload" />
    Then send this to your upload script:
    PHP Code:
    <?php
    session_start
    ();

    if (!isset(
    $_SESSION['atform']))
    {
         
    header("Location:./form.php");
    }
    else
    {
        
    // Your upload process.
        
    unset($_SESSION['atform']);
    }
    ?>
    You could do more with this as well, but thats probably about the most reliable way you can do it without switching to something secure. The first file will set the session variable, while the second will access it. If it doesn't find the file, you will need to send the user back to the form. Another good option would be to create users where they need to log in. That could help for your purposes.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •