FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Preventing bad PHP script calls





Assiez
I've been programming in php for about a year now, recently I just finished a project for my school (a comment manager) that was almost exclusively done in php. Because of that, security with php has always been one of my interests. Recently I realized that sometimes php scripts can easily be called from other sites. Maybe an example would make it clearer.

Say you have a script on your site called sendMoney.php. Also, say you use this script in a html file called example.html. Now a person can simply make a fake web page and call your php script from there just by putting the entire resource location (ex http://www.site.com/sendMoney.php instead of just sendMoney.php), instead of doing whatever they have to do in example.html. This of course is a horrible breach of security.

But the good thing is that it's a very simple problem to fix, however apparently not many people are conscious of it and therefore do not take the 4 lines of code to prevent it.

So without future ado, here's the fix

Code:

<?php
// get referrer from _SERVER array
$ref = $_SERVER["HTTP_REFERER"];

if ($ref != "http://www.site.com/example.html" || $ref != "site.com/example.html")
{
    //bad referrer detected, exit script
    print "Access Denied";
    exit;
}

//continue with script
?>


basically what this snippet of code does it that it gets the site that called the script and compares it to a list of allowed sites. If the site that called it is not in the list, the script ends immediately, otherwise it'll go on doing what it should do. Interestingly enough, I've just realized this problem today, so I'll have to go back and update most of my old php scripts. :-/

Have fun using this and remember, no site can be made completely secure, you can only make it as secure as possible.
Marston
I believe that "referer" [sic] is spelled incorrectly.

Hence, your script won't work. Wink
Assiez
http://unix.cms.gre.ac.uk/code/php/examples/http_referer_op.php

it's spelled right.
Related topics
Phoenix free PHP scripts
error in my PHP script
how can i make a php script for enter username and password?
Inserting data to MYSQL with a PHP script
Running a "Hello World" php script
[PHP] Running Cron Jobs Via PHP Script
Simple PHP script not working
PHP Script- How can we install it
I need a VERY simple php script
PHP Script needed
Logging systeem php script
array check box on php script using $_POST
How to change extension php to html but the php script still
php script not loading
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.