I'm making a website that appeals to students at my school. I want to only allow access if the user is on the campus wifi or hardwire. Using PHP, how can I restrict access to people I am sure are on the campus internet?
You would need to get a range of IP addresses and put them in a while list. You could then use the $_SERVER['REMOTE_ADDR'] variable to check against the white list for access. Do it at the beginning of the page with something like this:
if(in_array($_SERVER['REMOTE_ADDR'],$white_list)) {
//allow execution code?
} else {
exit;
}
This is usually done in the webserver configuration, which has the advantage of also working for images, but in theory you could put
if ($_SERVER['REMOTE_ADDR'] != '...')
die();
in every of your PHP pages.
At first, you need to get the range of IPs from your school's network admin.
Then from PHP:
$ip=$_SERVER['REMOTE_ADDR'];
if(inRange($ip)) die();
else { ....
Now write inRange($ip) function to return true if the given ip is in the range. you can use explode function to get pieces of the ip to compare.. :)
It's already been mentioned, but the 'right' way to do it is to specify the IP range in the setup of your webserver (IOW, don't do it in PHP)
Related
Actually I have no any practical experience using php other than in locally hosted server. I am following a video tutorial to learn php, and there was this code to block specific ip from a web site. The thing I want to know here if this is works for users who have dynamic ip addresses also or not? And, is this a proper way to block a user? I'm so glad if you can explain more about practical side of blocking users. Thank you!
<?php
$http_client_ip = $_SERVER['HTTP_CLIENT_IP'];
$http_x_forwarded_for = $SERVER['HTTP_X_FORWARDED_FOR'];
$remote_address = $SERVER['REMOTE_ADDR'];
if (!empty($http_client_ip)){
$ip_address = $http_client_ip;
} elseif (!empty($http_x_forwarded_for)) {
$ip_address = $http_x_forwarded_for;
} else {
$ip_address = $remote_address;
}
//block list contains all the IPs that should be blocked.
foreach ($block_list as $block) {
if ($block == $ip_address){
die();
}
}
?>
Visitors can be restricted from accessing your site by using the IP deny manager in your cPanel or by adding the Allow or Deny code in your .htaccess file.
The syntax is as follows:
Allows IP 122.102.1.2 access to your website.
Allow from 122.102.1.2
Denys IP 25.122.6.3 access to your website.
Deny from 25.122.6.3
both combined as,
Order deny,allow
Deny from all
Allow from 203.25.45.2
Deny from unwanted-domain.com
No it does not. It takes his IP and check if it is in the block list. As soon as it will change, he won't be blocked anymore.
You could try blocking a larger range of IP.
By example:
$targetAddr = "123.123..*..*"; //yes is two dots
//this code will match any class of 123.123.x.x,
//you can also do "123.123.123..*" to do anything that is 123.123.123.x
if (ereg($targetAddr, $_SERVER['REMOTE_ADDR'])) {
//remote address match, do something or don't do anything
} else {
//do whatever you want to address that doesn't match
}
To be honest I don't think this is the best way to block users. This could block other users than the one you are trying.
I guess this would be best for regional block, when you want to block your site from a certain geographical area, using the IP range assigned to that area. as goes for certain users with dynamic IP addresses, it won't work well.
I want to make a count of visits to my website from referal websites. I know there are many programs such as Google analytics but there will show you that my taffic is coming from www.facebook.com for example. I want to check if the traffic is coming from some specific urls that I specify such as www.facebook.com/myfanpage.
Befor I think about php I tried several methods with javascript that they did not seem to function the way I wanted to. For my search for php I only found this function. Any Ideas ?
$_SERVER['HTTP_REFERER']
$_SERVER['HTTP_REFERER'] Will do exactly what you need.
if (strstr($_SERVER['HTTP_REFERER'], 'facebook.com') !== false) {
// Facebook brought me to this page.
}
elseif (strstr($_SERVER['HTTP_REFERER'], 'google.com') !== false ) {
// Google brought me to this page.
}
Sorry, I know this is 6 months late but surely if the url was http://mydomain.com/?p=facebook.com then this would also be true? a better way would be to explode the referrers url based on / then extract the 4th section i.e.
$refererUrl = $_SERVER['HTTP_REFERER'];
$Exploded_URL = explode("/",$refererUrl);
$urlToCheck = $Exploded_URL[3].'.'.$Exploded_URL[4];
if($urlToCheck == 'facebook.com'){
/* From Facebook */
} elseif ($urlToCheck == 'google.com'){
/* From Google */
}
$_SERVER['HTTP_REFERER'] should contain the URL that the user is coming from to get to your page. It's not a function. It's simply a value. So you can use it for this purpose.
Do note, however, that the value is easily spoofed. (It's taken from the HTTP request header, and the user can send whatever they want.) It should be acceptably reliable if you're just collecting stats for your own interest or whatever. But if you're trying to use it to secure the page (e.g., only show certain content if the visitor came from a certain URL), forget it.
You will be able to check only if the HTTP Request has referer which is actually accessible in PHP using HTTP_REFERER. So its solely responsible from the referring website.
Get original URL referer with PHP?
The above post also will help you.
I've been googling for days now and have come across different ways to secure folders (htaccess, using a PHP page with a password) but these don't tackle my issue.
The problem:
I need to have a site where different clients can access ONLY THEIR content. Client-A needs to be able to access all their Flash content and websites. Client-B and Client-C need to do the same but none of them can access each others content (even by directly linking to it). A username/password system won't work because each client has 400-1000 users and neither myself or the client has time to manage all these users.
I looked into htaccess and htpasswd but I prefer not to use any username/password combo's. Ideally, I'd like a "secret word" or "passphrase" I could pass from an iPad app or Air program to the server to get the content I need. Anyone have some ideas on the best way to handle this?
EDIT: To simplify things... I want to have HTML sites and Flash swf's above my web root and be able to display them to users. How can I make this happen? I have HTML sites that use relative links so using php's readfile() causes these sites to break since those links aren't correct.
What RDBMS are you using ?
With mod_authn_dbd and a basic authentification you would be able to do so.
Something like this,
AuthType Basic
AuthName "My Server"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
If you have control over the software which sends the requests, you could add an own X-header to every request which identifies the user.
With apache_request_headers() you can get your own request header from the request:
http://www.php.net/manual/en/function.apache-request-headers.php
==============
Edit after first comment:
Some code for example:
globals.php
$headers = apache_request_headers();
$key = $headers["X-Authorization-Key"];
$authorized = checkAuthorization($key);
if(!$authorized) {
header('HTTP/1.1 403 Forbidden');
echo "Access denied!";
exit;
}
//... db connection or something else to get user specific definitions, paths, ...
//e.g.:
$user = $users[$key];
define("CONTENT_PATH", "/var/www/mypage/data/".$user);
function checkAuthorization($key) {
//... db connection or something else where the authorization-information are stored in
//check whether the $key is in the auth-info and return true / false for the result
return true; //or false
}
in every script on top:
<?php
require_once("globals.php");
//... work with the user specific definitions, paths
include(CONTENT_PATH."/...");
//...
What you do is when the user creates their login account, they have the option to select what group they are using. Then when page info is displayed, it displays the normal page, but with the permissions name included in it. You would have to build 3 seperate content pages, but they would only see what the content of their chosen group.
homegroup1.php
homegroup2.php
homegroup3.php
if the user is in group one, the direct would be home"group".php for the display. It would call for the group on the site they go to.
Recently I created a script that accesses another script to run it. The only way the second script will run, is if it is accessed from the same server. To accomplish this I've made a simple if ($_SERVER['REMOTE_ADDR'] == "XXX.XXX.XXX.XXX") {
(Obviously the XXX.XXX.XXX.XXX is replaced with my server's IP.)
However, I'd like the script to be more portable, so I want it to somehow detect the IP of the same server or something.
Suggestions? Or is this even possible?
A better approach would be to store the second script outside of webroot.
To answer your question $_SERVER['SERVER_ADDR'] will return the IP Address of the server where the current script is executing, but yeah there's better ways to do this, such as making the script unable to be accessed from the web in the first place.
http://php.net/manual/en/reserved.variables.server.php
You could always do something like...
if($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR'] ){
// Do my stuff
} else {
header("Location: http://elsewhere.com");
}
This solution is tied to Apache, but you could copy the idea of stopping hot-linkers linking to your images, just change the parameters to fit your named scripts, or put those local-access only scripts in a single folder - might be a bit more manageable.
http://altlab.com/htaccess_tutorial.html
There are 2 different websites in 2 directories ..path/siteA/ and ..path/siteB/ . I need to load one of them on domain example.com depending on their country they are visiting from.
It can't be www.example.com/siteA it must be www.example.com .
Is it posible?
Edit: found the solution.
Configure Your webserver to listen on two different ports, one pourt should serve content from /path/siteA and the second one from /path/siteB.
Next step is to configure Pound depending on the location of the user (IP geolocalisation) and You're on Your way
It is usually done with geo-location.
You use a redirect on example.com/index.php that redirects to example.com/pathA or example.com/pathB depending on their ip
use the header() function to redirect :)
$ip = $_SERVER['REMOTE_ADDR'];
if(...) // check location of IP
{
header("Location: /pathA");
}
else
{
header("Location: /pathB");
}
http://php.net/manual/en/reserved.variables.server.php
http://au.php.net/manual/en/function.header.php
Edit:
Based on comment, this is what you need: mod_Rewrite: Filter specific pages by IP and redirect them
Yes it is possible. First pages you have to ask the language or show the default language.
This is done by two methods:
Each language can be lines or words assigned in separately files with each variables. By using the variable calling we can the get the language parameter.
Each language can be lines or words assigned in database with separately table.