944,171 Members | Top Members by Rank

Web Development > PHP > Disable URL change via URL bar
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 4964
  • PHP RSS
Permalink
Jan 10th, 2007
0

Disable URL change via URL bar

Expand Post »
Hi i own an online game and i wish to know weather there is a way to disable my members from changing the URL in the url bar and only allow them to click links. If they change the URL in the url bar i would like it to header/re-direct to the index.php or session_destory();

I would like my game to only be navigational by the links provided. I have over 100 scripts on my server so it would be pointless blocking each script using the referer.

Any ideas?:cheesy:
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
loopylouis is offline Offline
9 posts
since Jan 2007
Permalink
Jan 10th, 2007
0

Re: Disable URL change via URL bar

Can't be done. You can't control the browser like that. The closest you could come is to use javascript to pen your site in a window and remove the URL bar but that is a bad solution. It will confuse users and leave a lot of them locked out from your site completely.
Moderator
Reputation Points: 161
Solved Threads: 38
He's No Good To Me Dead
stymiee is offline Offline
1,422 posts
since May 2006
Permalink
Jan 10th, 2007
0

Re: Disable URL change via URL bar

Well, if you made a completely AJAX driven user interface, it would be possible. However, that also means that search engines cannot crawl your site. And you know what that means.
Reputation Points: 13
Solved Threads: 2
Junior Poster
php_daemon is offline Offline
138 posts
since Aug 2006
Permalink
Jan 10th, 2007
0

Re: Disable URL change via URL bar

Well, I'm currently developing a game myself and here is what I have done to prevent this.

php Syntax (Toggle Plain Text)
  1. $root = 'yoursite.com';
  2. //Check For Authorized Entry
  3. if (!eregi($root, $webserver['Referer'])) {
  4.     echo "Unauthorized Access";
  5.     //Just forward to error page.
  6.     } else {
  7. //Continue Loading Page Here
  8. }

Just put the code above in a file and include it on every page except your index page and you're good to go. If you don't want to manually include it in every page, just place an include statement in a page that you currently include on every page (i.e., security.inc).

Hope that helps.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
c0rkscrew is offline Offline
2 posts
since Jan 2007
Permalink
Jan 15th, 2007
0

Re: Disable URL change via URL bar

Click to Expand / Collapse  Quote originally posted by loopylouis ...
Hi i own an online game and i wish to know weather there is a way to disable my members from changing the URL in the url bar and only allow them to click links. If they change the URL in the url bar i would like it to header/re-direct to the index.php or session_destory();

I would like my game to only be navigational by the links provided. I have over 100 scripts on my server so it would be pointless blocking each script using the referer.

Any ideas?:cheesy:
Its always better to solve problems server side than having to rely on disabling something on the browser...
It would be even better if the game scripts were written so the rule of the games apply no matter what is sent from the browser (ie: a user created url would be invalid in the game since it would break the rules of the game. But if they do put in a valid url through the address bar, then its still part of the game.. )
This is true for any server side scripting, game.. business logic.. regular website, CMS etc....

Solutions relying on teh browser will work, but will be see through for anyone who wants to cheat..
Moderator
Reputation Points: 457
Solved Threads: 101
Nearly a Posting Virtuoso
digital-ether is offline Offline
1,250 posts
since Sep 2005
Permalink
Dec 12th, 2010
0
Re: Disable URL change via URL bar
Hi,

Sorry for bringing a dead thread alive but I am trying to do the exact same thing and haven't come up with a solution. Is there a solution to this? If not, are there any good alternatives?
Last edited by loki8; Dec 12th, 2010 at 6:07 am.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
loki8 is offline Offline
1 posts
since Dec 2010
Permalink
Dec 12th, 2010
0
Re: Disable URL change via URL bar
I think digital said all that needs to be said. Don't #*~! with the browser. You could set up a session with stores the last page / last action. In addition, I'd hash the last page info with a 'salt'.

PHP Syntax (Toggle Plain Text)
  1. session_start();
  2. ...
  3. $_SESSION['last_page'] = md5('my_incredible_page' . basename($_SERVER['PHP_SELF']));

In a redirected page:

PHP Syntax (Toggle Plain Text)
  1. session_start();
  2. $redirects = array('index.php','someother.php'...);//allowed senders
  3. $confirm = $_SESSION['last_page'];
  4. $allowed = false;
  5. foreach($redirects as $r){
  6.  if($confirm == md5('my_incredible_page' . $r)){
  7.    $allowed = true;
  8.  }
  9. }
  10. if($allowed === true)
  11.  $_SESSION['last_page'] = md5('my_incredible_page' . basename($_SERVER['PHP_SELF']));
  12. }else{
  13.  header('Location: index.php');
  14. }

Have to say, it's not ultrasecure. The salt could be derived from a DB value based on regular changes. It's something to play with anyway.
Sponsor
Featured Poster
Reputation Points: 1067
Solved Threads: 955
Disgraced Poster
ardav is offline Offline
6,728 posts
since Oct 2006
Permalink
Dec 12th, 2010
0
Re: Disable URL change via URL bar
If you are trying to stop users from manipulating the url, you can use a csm of the url to validate it. I have been using this method for years, to prevent people from changing the id in a url to edit a record that they shouldn't be editing (I usually have 2 or 3 checks to make sure its the right person, not just the url csm though).

Here is function that I just made (it only works if you are using the $_GET superglobal though, a different function would be required for something else):


To test, just put on its own page and run. You will be able to see how it works.
PHP Syntax (Toggle Plain Text)
  1. function url_csm( $url,$to_html=true,$remove_csm=false ) {
  2. 	$url = trim( $url,'/' );
  3. 	$md5 = md5( $url . SALT );
  4. 	$vars = array();
  5. 	if ( ( $pos = strpos( $url,'?' ) ) !== false ) {
  6. 		$data = substr( $url,( $pos + 1 ) );
  7. 		$url = substr( $url,0,$pos );
  8. 		$data = explode( '&',$data );
  9. 		foreach( $data as $datum ) {
  10. 			list( $key,$val ) = explode( '=',$datum,2 );
  11. 			$vars[$key] = $val;
  12. 		}
  13. 	}
  14. 	if ( isset( $vars['csm'] ) && $remove_csm == true ) {
  15. 		unset( $vars['csm'] );
  16. 	}
  17. 	else {
  18. 		$vars['csm'] = $md5;
  19. 	}
  20. 	$query_string = array();
  21. 	foreach( $vars as $key => $val ) {
  22. 		$query_string[] = "{$key}={$val}";
  23. 	}
  24. 	return ( $remove_csm == false ? 'http://' . $_SERVER['SERVER_NAME'] . '/' : '' ) . $url . ( count( $query_string ) > 0 ? '?' . implode( ( $to_html == true ? '&' : '&' ),$query_string ) : '' );
  25. }
  26. function url_csm_valid() {
  27. 	if ( !isset( $_GET['csm'] ) || md5( url_csm( $_SERVER['REQUEST_URI'],false,true ) . SALT ) !== $_GET['csm'] ) {
  28. 		return false;
  29. 	}
  30. 	return true;
  31. }
  32.  
  33. define('SALT','large random string here');
  34.  
  35. if ( !isset( $_GET['csm'] ) ) {
  36. 	echo '<a href="' . url_csm( $_SERVER['PHP_SELF'] . '?testing=test' ) . '">Click here</a><br />';
  37. }
  38. else {
  39. 	echo '<p>Now trying changing the key or value of the test var in the url</p>';
  40. 	echo 'Checksum Valid = ' . ( url_csm_valid() == true ? 'Yes' : 'No' );
  41. }
  42.  
  43. exit;

I think that is what you were trying to accomplish but I might be wrong.
Last edited by kkeith29; Dec 12th, 2010 at 10:46 pm.
Reputation Points: 235
Solved Threads: 193
Nearly a Posting Virtuoso
kkeith29 is offline Offline
1,315 posts
since Jun 2007
Permalink
Dec 13th, 2010
0
Re: Disable URL change via URL bar
Hi I think you can try to use mod_rewrite in .htaccess to manipulate the url and redirect to index.php if the URL change in the address bar.
Reputation Points: 10
Solved Threads: 1
Newbie Poster
Mckcvision is offline Offline
7 posts
since Apr 2010

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: XAMPP: ccess denied for user 'ODBC'@'localhost'
Next Thread in PHP Forum Timeline: Php redirect





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC