Restricting access only when server accessing -Blocks access when typed in addressbar

Discussion in 'PHP' started by Melvinng, Mar 11, 2008.

0
  1. #1
    Hey,

    I have a remote PHP file that echo's out some javascript on another domain. The PHP file accepts GET values. How could I go about preventing users from directly accessing the PHP file from the address bar, but the remote file that is linked still works?

    So I want to stop users going to..

    http://mydomain.com/out/remote.php

    But if the PHP file is called like so...

    <script type="text/javascript" src="http://mydomain.com/out/remote.php?user=yarr"></script>

    It will continue to work fine.

    I'm thinking maybe .htacess?

    Thanks
     
    Melvinng, Mar 11, 2008 IP
  2. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #2
    Just so you know, it's simply not possible to do with a 100% success rate.

    The closest sane method is to check the referer header & RewriteRule to a dummy file when that header contains a blank or unwanted value.

    You can do this with htaccess, it works similarly to hotlink image protection.
    RewriteEngine On
RewriteCond %{HTTP_REFERER} !yourdomain\.com$ [NC]
RewriteRule remote\.php$ - [NC,F,L]
    Code (markup):
     
    joebert, Mar 11, 2008 IP
  3. Melvinng

    Melvinng Peon

    Messages:
    850
    Likes Received:
    77
    Best Answers:
    0
    Trophy Points:
    0
    #3
    But this method also blocks off streaming right? So I am unable to stream the remote.php?file=wfeewf i a flash player?

    How can I modify it so that it works with streaming?
     
    Melvinng, Mar 11, 2008 IP
  4. CodyRo

    CodyRo Peon

    Messages:
    365
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #4 
    
<?php

if ($_SERVER['HTTP_REFERRER'] == "youdomain.com")
{
   // woo welcome aboard matey's!
} else {
   header("Location: index.php");
}

?>
    PHP:
    Not fool proof .. REFERRER isn't always passed .. it's dependent on certain settings and so forth.

    Obviously mod the PHP accordingly :)
     
    CodyRo, Mar 12, 2008 IP
  5. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #5
    Do a test request with Flash (easiest if it's on a test server) & check the access log to see if Flash is passing its' custom user-agent string ("Shockwave Flash") when you're streaming. I know Flash sends that custom header when doing file uploads from an SWF, otherwise it uses the browsers credentials. If streaming is not using the browsers credentials it may be doing the same thing file uploads do. In which case you can check the referer header, or "Shockwave Flash" for the value of the user-agent header.
     
    joebert, Mar 12, 2008 IP
  6. Melvinng

    Melvinng Peon

    Messages:
    850
    Likes Received:
    77
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Yep, it has it's custom user-agent, what is the php code to restrict only 1 user-agent, because the above php code also blocks out the flash although it's on the same site.

    Regards,
     
    Melvinng, Mar 12, 2008 IP