Security Issue

Anon

Does anyone know how to stop people from reloading or pointing to a php script directly?

Example: I have a script that gives 50 points to a user when they sign up. if you reload that script it gives them 100 points!

Another example i have a script that has many
different steps

member.php?step1
member.php?step5
member.php?admin

in cgi I can stop this by check to see if it came from the server. can this be done in php?

here is what I used in cgi to do this..

at the top of my cgi scrit I put this

@referers = ("www.$ENV{'SERVER_NAME'}","$ENV{'SERVER_NAME'}");

in a sub I want protected I place this inside

&checkreferer if (@referers);

and here are the sub it refers to..
I put these on the bottom of my cgi scripts.

sub errorme {
print "Content-type: text/html\n\n";
print "Sorry you can not do that!\n";
exit;
}

sub checkreferer {
local($check_referer) = 0;

	if ($ENV{'HTTP_REFERER'}) {
	foreach $referer (@referers) {
	if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
	$check_referer = 1;
	last;
	}
	}
	}
	else { $check_referer = 2; }
if ($check_referer != 1) { 
$error_status = "timeout";
&errorme; 
}

}

I am looking for a way to do this in php.
Please help..

Thanks, in advance.

yelvington

Read the section of the manual that describes variables from outside PHP. Not surprisingly, a PHP process gets pretty much the same information as a Perl process.

Anon

what manual are you refering to?

I tried conveting to use on php but I had no luck.

yelvington

The PHP manual, of course.

http://www.php.net/manual/en/language.variables.external.php

http://www.php.net/manual/en/language.variables.predefined.php

If you are running PHP on Apache, $HTTP_REFERER should contain exactly the same information as would $ENV{'HTTP_REFERER'} in Perl.

Anon

I under stand about the $HTTP_REFERER

but I can't get my script working.
for one thing I am not sure @referral
is not supported in php. "@" this always give me a error..

I loaded them up in a array but no luck because the script refers to

for each @referral and I am not sure how to pull out of the array.

Anon

I know I am doing something wrong this is what I have so far.. note I took the array out tring make the script as simple as possible.

$ref = "www.$SERVER_NAME";
$ref2 = "$SERVER_NAME";

if ($HTTP_REFERER =~ m|https?://([^/]*)$ref|i):
$check_referer = 1;

elseif ($HTTP_REFERER =~ m|https?://([^{/]*)$ref2|i):}
$check_referer = 1;

else:
$check_referer = 2;
if ($check_referer != 1){
print "Sorry you can not do that!\n";

yelvington

Well, you can't expect PHP to interpret Perl, and you are doing just that. Constructs like "=~" are meaningless to PHP. (Actually PHP may be interpreting that as an assignment of a bitwise NOT, which is definitely NOT what you want!)

Similarly, the @ sign has a meaning that is specific to PHP: When prepended to a function call, it tells PHP to suppress any error messages that might be generated by that function call.

I've been avoiding just reimplementing your code in PHP because if you don't struggle with it yourself you won't learn how, but ...
<?
$url = parse_url($HTTP_REFERER);
if ($url[host] != $HTTP_HOST) header('Location: login.php')
?>

This tells PHP to parse the HTTP_REFERER server variable into an associative array. You then can compare $url[host] with $HTTP_HOST and see if they match. If they don't, the header() call kicks the user to another page, which in this example is login.php.

This code will fail, by the way, under any of the following conditions:

You have a link from another one of your pages that changes the domain from www.whatever.com to whatever.com, or vice versa. That's the primary reason the Perl code you posted is so jibbered up. It's handling that situation. You could accomplish the same thing in PHP, and in fact you could write better code, but I'll leave that for you to work out.
You output anything other than a header before calling this code snippet. Even a single space will cause PHP to error on the header() call.
You use a server that doesn't populate $HTTP_REFERER and $HTTP_HOST properly. The example code works fine with Apache.