Security Issues - please help - PHPBuilder Forums

Security Issues - please help

ado_civon

Ok, i'm having one major problem:

I've set up a website which allows files to be downloaded from it using following command:

action=downloadfile
filename=........?.........
directory=.......?..........

It's a FREE download, but i hate it when other sites dynamically include my script and use it on their page.
Not only that, but some go through my page and even copy the file link from my page to theirs.

is there php code that can stop my script to be dynamically included somewhere else? (like a protection algorithm)

i guess the link copy thing is not much of an issue as no one can get everything out of my page, its got a lot of files.

one solution i thought of is having the script check for where the command came from (host) but when they dynamically include the page, the request will appear to be coming from the host which is then useless.

I'd appreciate it a lot if somebody could help me.

Thank you in advance!

PHPMagician

If I understand the problem you should be able to define this:

define('IN_MINE',1);

in the script from which you are including the script in question.

Within the script in question have:

if(!defined('IN_MINE'))
{
    exit('get lost');
}

ado_civon

does

define('IN_MINE",1); set IN_MINE to 1 (ie. TRUE) on server side

then you check if 'IN_MINE' is defined and else tell the other's to piss off

if thats true then yeah, that should definately be the solution to my problem

also i am thinking to have sessions passed around that way if session exists on server, allow access.

hehe now this comes in my head when i think about the problem...

Thank you!

access9

You can use sessions to control access to your script. Take these two scripts for example:

// Say this is the page that people would download from.
mainHtml.php:

<?php
session_name('MyPrivateScript');
session_start();

// Sets the $_SESSION var that the script this form is posted to will check for.
// change MyReferer to whatever you want, assign it what ever you want.
if (! isset($_SESSION['MyReferer']) )
    $_SESSION['MyReferer'] = $_SERVER['PHP_SELF'];
?>
<html><body>
<form action="myScript.php" method="post">
<input type="file" name="testFile">
<input type="submit" name="submitTest" value="Upload File">
</form>
</body>
</html>

This script is hit after the user clicks "Upload File". It will not continue unless the same session is started and checks the $SESSION var your set in the mainHtml.php file before processing the $POST data.
myScript.php:

<?php
session_name('MyPrivateScript');
session_start();

// checks for the session var MyReferer
if ( isset($_SESSION['MyReferer']) )
{
    // script continues here
}
else
{
    echo "<p>Unauthorized access</p>\n";
    exit();
}
?>

Obfuscate the session name and the session variable you're setting to make it more difficult for someone to get to your script.

Hope that helps.

-a9

ado_civon

thank you very much for the reply...

instead of having
else
{
echo "<p>Unauthorized access</p>\n";
exit();
}

can i have
else
{
go to some website such as access_denied.php
exit
}

but where access_denied logs their IP and more of their data if possible so i can lock them out if i see them to be a major threat?

access9

can i have
else
{
go to some website such as access_denied.php
exit
}

Sure, use:

header("Location: http://www.mysite.com/access_denied.php");

but where access_denied logs their IP and more of their data if possible so i can lock them out if i see them to be a major threat?

If they have a dynamic IP, it may be a little difficult. You could try to set a cookie and check how many times they've received the "access denied" message.

-a9