I'll try to explain my query in the best of my ability. I would appreciate your help in this :)
There is a flash application (SWF) that I am outputting via a PHP file using header("Content-type: application/x-shockwave-flash");
Case A: When this flash file is loaded from http://www.a.com/flash.php?display=hello, it works the way it was intended to. Say for example it displays "hello".
Case B: When this flash file is loaded from http://www.b.com/flash.php?display=hello, it does not work. Say now it displays "Bye bye".
Important thing to note is that I did send the display=hello on the www.b.com but it somehow internally checks that it is being called from a website other than www.a.com and defaults to "bye bye".
The flash file is on the local web-server as flash.swf
How can I set the headers in that PHP file so that the the flash.swf thinks it is being called from www.a.com rather than www.b.com, even though it is.
I do not know how the flash.swf file is doing all these checks. and I don't think there is anyway for me to find out (decompile swf, etc -- but I'd like to avoid that route).
Is there perhaps a header I can set in the PHP file or set an environment variable to fix this issue?
If a.com is not under your control, I don't think this is possible to circumvent, because Flash can check for the current movie's URL in the browser, which you won't be able to manipulate in PHP.
If a.com is under your control, you could use an iframe as #Khez points out.
Otherwise, you'll have to talk to the author of the original Flash file and ask for the check to be changed (which is probably what you want to circumvent in the first place).
This will not be possible for security reasons.
For example, if your bank was trying to run this file, being able to fake the source would mean someone could steal from you.
The browser will enforce this and will prevent you from faking the source of your request, so it will not be possible for you to change this.
Related
I have a JavaScript which can be called externally using <script type="text/javascript" src="http://mydomain.com/myscript.js"></script> the script is created dynamically using php but I need to know where the script is being called from (which domain) the only way i can think off is using $ SERVER["HTTP REFERER"] but not all browsers support this and it is insecure as it can be changed.
Dose anyone know a better way I could do it?
First of all anything the browser provides cannot be trusted, this includes the HTTP Referer header.
However I don't agree with this being insecure, what exactly are you doing with this information? All the server can do is trust what the browser supplies it, so if you are attempting to restrict this javascript you are going to have to authenticate the user first (so you can plant a cookie).
So what exactly are your intentions?
Here is my idea.
Use a PHP file to render the JS file contents and it will only serve the javascript when session id matches. Hide your real js file too
HEllo I have this URL I need to get with PHP
http://www.domain.com/forum/#forum/General-discussions-0.htm
The problem is this is not a real URL, but this the mask created by the .htaccess.
I need to get the visible URL and not the real path of the file, because I need to compare it with some PHP variables I have.
In fact the real path will look like this:
http://domain.com/modules/boonex/forum/index.php
And in that way is totally useless for me.
How do I get the first URL as it is?
You can't get that from http://www.domain.com/forum/#forum/General-discussions-0.htm. Everything after the fragment (#) is not even send to the server, there is no way to retrieve it save for a delayed update with javascript. All you'll get it is http://www.domain.com/forum/ send to the server, and on the onload event of your document you can possibly load something in with javascript.
Look into the source code or it may not have real urls at all. The part is for ajax based navigation. It may mean that there are no real urls on that site and if there are then they should be extracted from <a href="someurl"> as they might masked using javascript.
With
file_get_contents();
for example. Neither user nor your server mind about .htaccess
It's server proccessing the request who have to direct you to correct address
however php does ignore everything after #, so in this case you have no chance to get it without real url
As #Wrikken said, there is no way to get url after # fragment
I have a site complete with CMS etc all working under one domain name. It turns out for legal reasons one page on this site has to sit on a different domain name. The page is hooked into the same CMS as the rest of the site (built using codeigniter). I don't want to have to do another installation just for this page.
Is there any simple way to display just this page under a different domain name without taking it out of the current application?
Thanks a lot
You should look at either (in order):
an include()with correct php.ini configuration
a file_get_content() and printing the variable into your page
an <iframe src="yoururl"> wich would be the easy peasy but unsafe way
using the on-purprose curllibrary
using fopen() wich theorically allows distant files to be opened, but based on my experience, it's not that reliable
Look at this site, it seems rather exhaustive regarding your problem.
Try including the file
<?php include 'http://www.domain.com/url/to/file/page.html' ?>
I think what you need here is a symlink, which is something I don't know too much about. My understanding is that the path displayed to the user does not in fact have to have anything to do with where the file is actually stored, meaning you can set this up to have a completely different URL while keeping it as part of your original application.
A simpler thing is doing a redirect...it's one line of code in your .htaccess file and you're good to go.
include is a possible solution depending on the format of the remote page (ie, this won't work very well if the remote page has a full DOM structure, and you're trying to include the remote page within the DOM structure of your CMS page), however more information about that remote page would be needed to help determine if include() alone would be enough.
Regardless, if include() does, work, you must make sure allow_url_include in php.ini is enabled, as by default script execution will terminate when encoutering a remote URL include statement.
I have a member area, where they can add their domains and it will be displayed in the profile page..but now I want to add a verification process, just like google web-masters does..where they need to upload a certain file and so..
please tell me whats the best way to do this ?
Thanks :)
Generate a token for each domain (sha-1 of domain or so), store it in your DB or what have you.
Generate a text-file containing the token on user request.
Ask the user to inform you to poll or poll every now and then to check the URL. This can easily be done by file_get_contents in PHP if fopen_wrappers are enabled.
The token is obviously compared to the token in your DB to make sure it wasn't just a random file present at a random domain..
Could be a good idea to check at some time interval if the file is still there, to keep someone from selling the domain but remain in control
It's not really black art as we can assume the user has access to its domain once any specific request which proves access can be fulfilled by the user. There's no real way to fool the system except doing some DNS-magic, or gaining entry to the webserver running on the domain, which is out of your control anyway.
Not sure if that's the best way, but I think Google does something like this:
get user's domain name (e.g. "http://example.com")
generate unique code and store in db
tell user where to upload the code (e.g. something like "/verification.txt")
after confirmation, make a HTTP request for the code ("http://example.com/verification.txt") from own server to the user's server
compare the code you received to the code in the db
You may want to generate consistently the same code for the same domain.
This question is convoluted. I think you need to spell out what you are looking for a little better.
EDIT #1:
Generate an md5 and give it to the user, tell them to put it on their domain and provide a URL to where it is. This could be in a txt file or anything.
Then read that file and check if the md5 string exists in there.
Actually I would come up with something slightly different than an md5. Maybe three of them, so that you reduce the chance they find it on some other domain and then give you that URL.
This can still be spoofed unless you nail down constraints, like it has to be a text file, the file must only contain the md5... etc.
Right now I can type in an md5 but it doesn't mean I control this website:
md5("i fooled you") = "0afb2d659b709f8ad499f4b87d9162f0"
But if I handed the URL to this answer, your system might accidentally think I have admin here.
I recommend creating a file and making them upload the file and give you the URL to it. But even that won't necessarily work because there are many sites where you can just upload something.
Maybe if it's a php encoded file that can execute? That's kind of a security flaw because I don't know if I would upload just anyone's PHP file. Typically if you don't have admin nobody is going to let you upload a php file that would work.
You might want to create a php call-home script but that's gonna be bad. People wouldn't use it.
Another way it could be done is:
Get the domain name
Generate a random code/string.
Sore this in your database
Make a meta tag and the random code in the content.
Use file get contents of the index page of the website.
Then search the page for the meta tag with the code sorted in the database.
If statement for success or unsuccessful.
The meta tag should look like this:
<meta name="site-verification" content="1010101010101010101010101010101010101010" />
Actually, just creating an md5-string for the domainname, letting the site owner put that in a meta-tag so you can check that would allready work fine ...
I need to confirm something before I go accuse someone of ... well I'd rather not say.
The problem:
We allow users to upload images and embed them within text on our site. In the past we allowed users to hotlink to our images as well, but due to server load we unfortunately had to stop this.
Current "solution":
The method the programmer used to solve our "too many connections" issue was to rename the file that receives and processes image requests (image_request.php) to image_request2.php, and replace the contents of the original with
<?php
header("HTTP/1.1 500 Internal Server Error") ;
?>
Obviously this has caused all images with their src attribute pointing to the original image_request.php to be broken, and is also the wrong code to be sending in this case.
Proposed solution:
I feel a more elegant solution would be:
In .htaccess
If the request is for image_request.php
Check referrer
If referrer is not our site, send the appropriate header
If referrer is our site, proceed to image_request.php and process image request
What I would like to know is:
Compared to simply returning a 500 for each request to image_request.php:
How much more load would be incurred if we were to use my proposed alternative solution outlined above?
Is there a better way to do this?
Our main concern is that the site stays up. I am not willing to agree that breaking all internally linked images is the best / only way to solve this. I refuse to tell our users that because of something WE changed they must now manually change the embed code in all their previously uploaded content.
Ok, then you can use mod_rewrite capability of Apache to prevent hot-linking:
http://www.cyberciti.biz/faq/apache-mod_rewrite-hot-linking-images-leeching-howto/
Using ModRwrite will probably give you less load than running a PHP script. I think your solution would be lighter.
Make sure that you only block access in step 3 if the referer header is not empty. Some browsers and firewalls block the referer header completely and you wouldn't want to block those.
I assume you store image paths in database with ids of images, right?
And then you query database for image path giving it image id.
I suggest you install MemCached to the server and do caching of user requests. It's easy to do in PHP. After that you will see server load and decide if you should stop this hotlinking thing at all.
Your increased load is equal to that of a string comparison in PHP (zilch).
The obfuscation solution doesn't even solve the problem to begin with, as it doesn't stop future hotlinking from happening. If you do check the referrer header, make absolutely certain that all major mainstream browsers will set the header as you expect. It's an optional header, and the behavior might vary from browser to browser for images embedded in an HTML document.
You likely have sessions enabled for all requests (whether they're authenticated or not) -- as a backup plan, you can also rename your session cookie name to something obscure (edit: obscurity here actually doesn't matter as long as the cookie is set for your host only (and it is)) and check that a cookie by that name is set in image_request.php (no cookie set would indicate that it's a first-request to your site). Only use that as a fallback or redundancy check. It's worse than checking the referrer.
If you were generating the IMG HTML on the fly from markdown or something else, you could use a private key hash strategy with a short-live expire time attached to the query string. Completely air tight, but it seems way over the top for what you're doing.
Also, there is no "appropriate header" for lying to a client about the availability of a resource ;) Just send a 404.