0

Ok so this game works perfectly fine on my own windows test box webserver but when I upload it to my website it doesnt work at all, It gives me the error in this php script, and iv determined the problem lies in the HTTP Referer method used, so is there any way to just remove this?

<?
include("const.php");
if ((stristr($HTTP_REFERER,$SERVER_NAME)) || ($action == "gameranks") || ($action == "top10") || ($action == "login") || ($action == "signup") || ($action == "count") || (($action == "game") && ($HTTP_REFERER)))
{
	if (!$link = @mysql_connect($dbhost,$dbuser,$dbpass))
	{
		include("html.php");
		HTMLbegincompact("Database Error!");
		print "The game database is currently unavailable. Please try again later.\n";
		HTMLendcompact();
		exit;
	}
	mysql_select_db($dbname);
	if ($action == "game")
		$action = "main";
	include("$action.php");
}
else
{
	include("html.php");
	HTMLbegincompact("Error!");
?>
<table>
<tr><th style="color:#00006F;background-color:#FFFF9F">Security Violation</th></tr>
<tr><td>We have determined that you are accessing the game the wrong way, or an error might have occurred.<br>
<?
	if (!$HTTP_REFERER)
		print "You may NOT access in-game pages via bookmarks!<br>\n";
	else	print "You attempted to view this page from $HTTP_REFERER, which is not on $SERVER_NAME.<br>\n";
?>
If this error persists take the following steps in the following order:<br>
1) Return to <?=$config[home]?> and re-login.<br>
2) Upgrade your internet browser.<br>
3) Contact the game administrator at <?=$config[adminemail]?><br>
4) Contact your ISP.<br></td></tr>
</table>
<?
	HTMLendcompact();
}
?>

Thanks

2
Contributors
12
Replies
13
Views
7 Years
Discussion Span
Last Post by colweb
Featured Replies
  • [QUOTE=4789787;1209698]Please dont abandon me man! I really need your help, no one else helped me at all[/QUOTE] You should remove / change all your lines of code where you use $_SERVER['HTTP_REFERER']. If the browser isn't sending the HTTP "Referer:" header, which according to the HTTP/1.1 specification it doesn't have to, … Read More

0

From http://php.net/manual/en/reserved.variables.server.php

'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

It looks like you are better of without it. But what to use to get the previous page url??

It looks like you are only allowed on this page from another page from the same domain. Maybe you could change the <a href> that points to this page like so <a href="this_page.php?valid=true"> and test (with $_GET) if valid is there and is true.

0

Well I tried putting a link on the mainpage of my site to it but it gave me the error MSG again saying I had tried to access it with bookmarks. Is that what you were telling me to do? Or was there something else, like what'd you mean by the GET thing?

Thanks

0

What you are trying to do is prevent deep-linking or direct access to this page. Normally one would use $HTTP_REFERER in php but that method is not reliable.
Another way to get the same result is using a .htaccess file (but this can only be done if the site is hosted on an Apache web server) with the following in it:

RewriteEngine On
RewriteCond   %{HTTP_REFERER}  !^$
RewriteCond   %{HTTP_REFERER}  !^http://www.yourdomain.com/.*$ [NC]
RewriteCond   %{HTTP_REFERER}  !^http://yourdomain.com/.*$     [NC]
RewriteRule   ^/GamesPages/*$ /page-about-direct-links.html

That is basically saying:
1. Turn the mod_rewrite engine on
2. If the HTTP Referrer is blank...
3. Or doesn't contain my domain name...
4. Or doesn't contain my domain name without wwww...
5. Redirect any requests for anything under /GamesPages/ to /page-about-direct-links.html
This method is more reliable but again, it doesn't always work. It depends on the way the web-server is configured.
What I meant with using $_GET is, you take out HTTP_REFERER on this page and from the home page of your site, make a link to this page like <a href="/gamespages/the_page.php?valid=true"> and start your page this way:

<?php
include("const.php");
$valid = isset($_GET['valid'] ? $_GET['valid'] : false;
if ($valid) {
  // rest of your code.

This is not full proof also, but you avoid the problems you have with HTTP_REFERER.

0

Ok so I put that code at the bottom in the php code I showed you above? Do I take anything out of that code above or just leave it the same?

Thanks for taking the time to help it appriciated

0

Ok so I put the code in the code above like this:

<?php
include("const.php");

$valid = isset($_GET['valid'] ? $_GET['valid'] : false;
if ($valid) {
if ((stristr($HTTP_REFERER,$SERVER_NAME)) || ($action == "gameranks") || ($action == "top10") || ($action == "login") || ($action == "signup") || ($action == "count") || (($action == "game") && ($HTTP_REFERER)))
{
	if (!$link = @mysql_connect($dbhost,$dbuser,$dbpass))
	{
		include("html.php");
		HTMLbegincompact("Database Error!");
		print "The game database is currently unavailable. Please try again later.\n";
		HTMLendcompact();
		exit;
	}
	mysql_select_db($dbname);
	if ($action == "game")
		$action = "main";
	include("$action.php");
}
else
{
	include("html.php");
	HTMLbegincompact("Error!");
?>
<table>
<tr><th style="color:#00006F;background-color:#FFFF9F">Security Violation</th></tr>
<tr><td>We have determined that you are accessing the game the wrong way, or an error might have occurred.<br>
<?
	if (!$HTTP_REFERER)
		print "You may NOT access in-game pages via bookmarks!<br>\n";
	else	print "You attempted to view this page from $HTTP_REFERER, which is not on $SERVER_NAME.<br>\n";
?>
If this error persists take the following steps in the following order:<br>
1) Return to <?=$config[home]?> and re-login.<br>
2) Upgrade your internet browser.<br>
3) Contact the game administrator at <?=$config[adminemail]?><br>
4) Contact your ISP.<br></td></tr>
</table>
<?
	HTMLendcompact();
}
?>

But I got this error Parse error: syntax error, unexpected '?', expecting ',' or ')' in /home/content/a/4/7/a4789787/html/genesiss/genesis.php on line 4

I think I just misinterpreted what you said, looking back at it, it looks like your saying make an entirely new page for that code?

0

Also if it would be easier to just take out the HTTP Referer and have people be able to link to my pages i dont care, i just need to keep the basic functionality of the page, what the page does right now as im sure you can see is link another php page like login.php would look like genesis.php?action=login so if i could just keep that basic functionality that would be fine

0

Oh and sorry for all the posts but it is on a shared hosting play, meaning that one computer is running several servers so im thinking that may be why its acting up like this

0

I just typed to quickly.

// instead of:
$valid = isset($_GET['valid'] ? $_GET['valid'] : false;
// it should be (forgot the ")")
$valid = isset($_GET['valid'][B])[/B] ? $_GET['valid'] : false;

And when you use it, leave out the HTTP_REFERER part.

But as I already wrote, this method is not full proof. The best change is using a .htaccess file to get what you wanted.

0

Ok this is how i put the code in

<?php
include("const.php");
$valid = isset($_GET['valid']) ? $_GET['valid'] : false;
if ($valid) {
  // rest of your code.

	if (!$link = @mysql_connect($dbhost,$dbuser,$dbpass))
	{
		include("html.php");
		HTMLbegincompact("Database Error!");
		print "The game database is currently unavailable. Please try again later.\n";
		HTMLendcompact();
		exit;
	}
	mysql_select_db($dbname);
	if ($action == "game")
		$action = "main";
	include("$action.php");
}
else
{
	include("html.php");
	HTMLbegincompact("Error!");
?>
<table>
<tr><th style="color:#00006F;background-color:#FFFF9F">Security Violation</th></tr>
<tr><td>We have determined that you are accessing the game the wrong way, or an error might have occurred.<br>
<?
	if (!$HTTP_REFERER)
		print "You may NOT access in-game pages via bookmarks!<br>\n";
	else	print "You attempted to view this page from $HTTP_REFERER, which is not on $SERVER_NAME.<br>\n";
?>
If this error persists take the following steps in the following order:<br>
1) Return to <?=$config[home]?> and re-login.<br>
2) Upgrade your internet browser.<br>
3) Contact the game administrator at <?=$config[adminemail]?><br>
4) Contact your ISP.<br></td></tr>
</table>
<?
	HTMLendcompact();
}
?>

I put a link on the mainpage of my site like this:
<a href="/genesiss/genesis.php?valid=true">

But now I get this:
Warning: include(.php) [function.include]: failed to open stream: No such file or directory in /home/content/a/4/7/a4789787/html/genesiss/genesis.php on line 18

Warning: include() [function.include]: Failed opening '.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in /home/content/a/4/7/a4789787/html/genesiss/genesis.php on line 18

I think i just deleted the wrong part of the HTTP Referer that you were telling me to remove

0

And like I said if i could just completely remove the http referer part and just have it where you can access the page from anywhere that would be fine, if not best

0

Please dont abandon me man! I really need your help, no one else helped me at all

1

Please dont abandon me man! I really need your help, no one else helped me at all

You should remove / change all your lines of code where you use $_SERVER.
If the browser isn't sending the HTTP "Referer:" header, which according to the HTTP/1.1 specification it doesn't have to, then theres no way to know who the referrer is.
It seems that the only way to be sure that the referer page is within the same domain is using a .htaccess file or call the page with post variables.

So, you don't want anybody to come directly on the page "http://example.com/games/in-game.php". Then start this page like this:

<?php
$valid_access = isset($_POST['valid']) ? $_POST['valid'] : false;
if ($valid_access) {
    // the in-game page
}
else {
    echo "you are not allowed to deeplink or direct access this page";
}
?>

And from the calling page (for instance "http://example.com/index.html"):

<form method="post" action="/games/in-game.php">
    <input type="hidden" value="true" name="valid">
    <input type="submit" value="in-game page.php">
</form>

If anybody would directly go to "http://example.com/games/in-game.php" they would see the message "You are not allowed to deeplink or direct access this page", but when comming from index.html, the page will show and the error message won't.

Votes + Comments
Thanks it fixed it! I appreciate all your help!
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.