Hot Link Prevention

[drawmack]

Hey here is a piece of GPL code that I just finished packaging up.

It's a hot link prevention scheme implemented entirly in php.

I know it's pretty easy to get around:
::coughhiddenframescough::
::coughpopupscough::

The main things I'm interested in are
1) did I do the gpl stuff right, it's my first time using it.
2) is there a stronger way to do this in php?

[drawmack]

forgot to attach the file here it is

[Moonglobe]

why do you die() after setting the hotlink image? do you not want it output?

[drawmack]

sometimes the only response I have is ooppss. Anyway here is the fixed version.

[bigray]

what does this script do?

[drawmack]

It is a weak form of hot link prevention.

one of the scripts sets a session variable.

the other script checks for the existence of this session variable before spitting out the file that was requested. If the session variable does not exist then the second script spits out a file that displays hot linker on the person's screen instead of the requested file.

It is weak due to the use of session variables. I have another one written that uses $_SERVER['HTTP_REFERER'] instead which is a bit stronger but could fail if the http_referer is blank for any reason. I'll be working up a third version in the near future that puts both methods together. It is for a series of articles for my web site.

[bigray]

Cool man,
do you have a login script, like say someone is not a member on your site.
Any link he clicks it well say something like "Hey guest, click here to login, etc"? Where can i get a script like this or do you already have one? Thanks bro.

[BuzzLY]

As was pointed out to you earlier, this is off topic, and off forum. I split your question to the General Help forum, to this thread.

Let's keep this forum and its threads for code critique only, ok?

[KITTfan2K]

There's probably a simpler way to do this:

PHP Code:

<?php

if (($File != @fopen ($_GET['File'], "br") || strpos($HTTP_REFERRER, $MySiteName) === false))
// If the file can't be opened, or the http_referrer is not from your site.
{
   // Open the 'NotFound' file and change the filesize accordingly
   $FileLength = filesize("Images/NotFound.gif");
   $File = fopen ("Images/NotFound.gif");
   // The 'notFound' file had better exist, otherwise the image will show as a red X!
}
else
{
   // get the filesize of the file that we're loading
   $FileLength = filesize($_GET['File']);
}

$File2 = fread($File, $FileLength);
fclose ($File);
// Get the contents of the file and then close it.

echo $File;
// print out the contents of the file.

?>

This is just something that I came up with off the top of my head to do a similar thing.

edit: this is probably riddled with errors, I didn't check anything on the PHP manual before I posted, but the comments should give you the general idea.

KITTfan2K

[drawmack]

Kitt: http://www.suryvial.com/articles/1/3

[liquidmotion]

what we do is, have the page that SHOULD HAVE refered it set a session or other variable. if this variable isn't present/correct when the user tries to download the file, deny access.

[drawmack]

That is way easy to hack:

Here is an overview of the protocol you're using:

Page A --> Sets session variable
Page B --> Reads session variable and (dis)allows access accordingly.


Here is the hack

Page C --> frames page with Page A in a hidden frame
Page D --> loads your image and the session variable is set.

[Moonglobe]

what do backticks have to do with hotlink prevention and sessions?

[drawmack]

moon, I had to change the batteries in my keyboard and the submit was accidental I've fixed it now.

[liquidmotion]

Quote:

Originally posted by drawmack
That is way easy to hack:

Here is an overview of the protocol you're using:

Page A --> Sets session variable
Page B --> Reads session variable and (dis)allows access accordingly.


Here is the hack

Page C --> frames page with Page A in a hidden frame
Page D --> loads your image and the session variable is set.

are your files really worth saving that badly? if they go to this much trouble to "hack" it, they are going to get it.

i guess.