0

Hey again! :D

I'm just wanting to know how I can stop other people included any type of file that's on my domain? All the php include files I use shall be CHMOD'd to 644 and/or 604 depending on the file, but I'm wanting to know how I can perhaps use PHP to make sure the only type of scripts that can both execute and include are on my domain?

For example, no one will be able to include or use http://www.example.com/example.(php/css/js) unless the request is coming from the actual domain?

Does anyone know how to do this using PHP? I've read somewhere that you have to name your action something, and config the php to only be executed unless it's from that action - for example, Joomla uses this:

<?php defined( '_JEXEC' ) or die( 'Restricted access' );?>

Thanks!
Brownie.

1
Contributor
1
Reply
2
Views
6 Years
Discussion Span
Last Post by brown23
0

I believe the term I was looking for was hotlinking.

If anyone in the future is having this problem, then this can be done by using the .htaccess file, or the following php script:

<?php
$dir='secret-directory-name-here/';
if ((!$file=realpath($dir.$_GET['file']))
    || strpos($file,realpath($dir))!==0 || substr($file,-4)=='.php'){
  header('HTTP/1.0 404 Not Found');
  exit();
}
$ref=$_SERVER['HTTP_REFERER'];
if (strpos($ref,'http://www.example.com/')===0 || strpos($ref,'http')!==0){
  $mime=array(
    'jpg'=>'image/jpeg',
    'png'=>'image/png',
    'mid'=>'audio/x-midi',
    'wav'=>'audio/x-wav'
  );
  $stat=stat($file);
  header('Content-Type: '.$mime[substr($file,-3)]);
  header('Content-Length: '.$stat[7]);
  header('Last-Modified: '.gmdate('D, d M Y H:i:s',$stat[9]).' GMT');
  readfile($file);
  exit();
}
header('Pragma: no-cache');
header('Cache-Control: no-cache, no-store, must-revalidate');
include($file.'.php');
?>

1) Create a directory on your website to contain the anti-hotlinking script and your protected media.

2) Copy the code into a file called index.php inside that directory.

3) Replace the URL http://www.example.com/ on the ninth line of the script with the URL of your website — don’t forget to include the trailing slash.

4) Replace the phrase ‘secret-directory-name-here’ in the second line of the script with something people are unlikely to guess (for example, a string of thirty random letters) and create a directory with this name inside the directory containing the script. Do not reveal the name of this secret directory to anyone, as doing so would allow people to hotlink to the files it contains. If you do accidentally reveal the directory name, just rename it and alter the script accordingly.

5) For each piece of content you want to protect, place it in the secret directory (you can also create subdirectories inside that directory).

6) For each piece of content create a file with the same name but with .php appended and place it in the same location as the content. This document should contain HTML (possibly with embedded PHP) to display when a site has either hotlinked or directly linked to yours. The simplest code will redirect the request to the page on your site containing the content:
<?php
header('Location: http://www.example.com/page-containing-the-content/');
?>

7) To include the content in your pages, use a URL of the form http://www.example.com/script-directory/?file=content-file, where ‘script-directory’ is the directory containing the anti-hotlinking script, and ‘content-file’ is the name of the content file (if the content file is in a subdirectory of the secret directory, include the subdirectory in the path — for example ?file=subdirectory/contentfile). These URLs can be included in the pages mentioned in the previous step in order to create a custom page displaying the content instead of redirecting to an existing page on your site.

8)Now when someone tries to hotlink to content on your site, people visiting that page will only see the content if they have already been to your site. Direct links to content on your site will return an HTML file containing the content so you can ensure visitors see the file in its original context.

Edited by brown23: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.