We help IT Professionals succeed at work.

HTTP_REFERER Question...

NTGrE
NTGrE asked
on
1,378 Views
Last Modified: 2013-12-12
I got a page in http://localhost/vilyl/index.php and i dont want to allow direct access...

I use joomla wrapper and i want to allow access from there so i v made..

$refferer = $_SERVER['HTTP_REFERER'];
$yoursite = "http://localhost/index.php?option=com_wrapper&Itemid=26";

if($refferer != $yoursite){
  die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}

where  http://localhost/index.php?option=com_wrapper&Itemid=26 is the joomlas link.

seems that working and if i try direct access i get the error msg..and if i try via joomla wraper the page displayed corectly..

BUT...

when i click in a link in this page (category link) i get the error again..

Sorry, this page is not available from http://localhost/vilyl/index.php. Please visit http://localhost/index.php?option=com_wrapper&Itemid=26 to see the page correctly!

the code of my index.php goes like...

<?php
$refferer = $_SERVER['HTTP_REFERER'];
$yoursite = "http://localhost/index.php?option=com_wrapper&Itemid=26";

if($refferer != $yoursite){
  die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
} elseif($refferer == $yoursite){

        include("config.inc.php");
        include("design.inc.php");
        include("max_char.inc.php");
            include("cntdwn.inc.php");
       
            
            
        // initialization
        $result_array = array();
        $counter = 0;

        $cid = (int)($_GET['cid']);
        $pid = (int)($_GET['pid']);

        // Category Listing<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

        if( empty($cid) && empty($pid) )
        {
                $number_of_categories_in_row = 4;

                $result = mysql_query( "SELECT c.category_id,c.category_name,COUNT(photo_id)
                                                FROM gallery_category as c
                                                LEFT JOIN gallery_photos as p ON p.photo_category = c.category_id
                                                GROUP BY c.category_id ORDER BY category_name" );
                while( $row = mysql_fetch_array( $result ) )
                {
                        $result_array[] = "<a href='index.php?cid=".$row[0]."'>".$row[1]."</a> "."(".$row[2].")";
                }
                mysql_free_result( $result );        

                $result_final = "<tr>\n";

                foreach($result_array as $category_link)
                {
                        if($counter == $number_of_categories_in_row)
                        {        
                                $counter = 1;
                                $result_final .= "\n</tr>\n<tr>\n";
                        }
                        else
                        $counter++;

                        $result_final .= "\t<td>".$category_link."</td>\n";
                }

                if($counter)
                {
                        if($number_of_categories_in_row-$counter)
                                               $result_final .= "</tr>";
                }
        }


        // Thumbnail Listing<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

        else if( $cid && empty( $pid ) )
        {
                $number_of_thumbs_in_row = 1;

                // If current page number, use it
                // if not, set one!

                if(!isset($_GET['page'])){
                    $page = 1;
                } else {
                    $page = $_GET['page'];
                }
.
.
.
..
bla bla bla....etc.

Seems that working only the first part when i create the category listing..but when i click in the categories i m taking the error msg......

:((

1) Any idea Why??

2) how can i redirect, after the error dislay, in my page after some seconds???

Thnx for your time ..
Comment
Watch Question

Harisha M GEngineer
CERTIFIED EXPERT

Commented:
Hi, try this:

$refferer = $_SERVER['HTTP_REFERER'];
$yoursite = "http://localhost/index.php";

if (substr ( $refferer, 0 ,strlen($yoursite)) == $yoursite)
...

---
Harish
CERTIFIED EXPERT

Commented:
Well, your own referrer checking code is what's locking you out (which you know already).  Once they get to your index page and start browsing pages from there, $yoursite is no longer their referrer, index.php is.  You could try adjusting your code to check for this.  Example:

$refferer = $_SERVER['HTTP_REFERER'];
$referrer2 = explode("?", $referrer);
// Essentially removes any query string by seperating it from the path and filename

$myindex = "http://localhost/vilyl/index.php";
$yoursite = "http://localhost/index.php?option=com_wrapper&Itemid=26";

if($refferer != $yoursite && $referrer2[0] != $myindex){
  die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}

If you have other pages in this area besides index.php, then you would need to trim the referrer2 URL down further to check just the directory.

Author

Commented:
:((

You mean this way??

$refferer = $_SERVER['HTTP_REFERER'];                                    
$yoursite = "http://localhost/index.php";

if (substr ( $refferer, 0 ,strlen($yoursite)) == $yoursite){
die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}

When i use $yoursite = "http://localhost/index.php";

the http://localhost/vilyl/index.php is accesed directly and not from joomla.

When i use $yoursite = "http://localhost/vilyl/index.php";
do exactly as before.

:((


i ll post all index.php code if that helps.

<?
if (substr ( $refferer, 0 ,strlen($yoursite)) == $yoursite){
die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}

        include("config.inc.php");
        include("design.inc.php");
        include("max_char.inc.php");
            include("cntdwn.inc.php");
       
            
            
        // initialization
        $result_array = array();
        $counter = 0;

        $cid = (int)($_GET['cid']);
        $pid = (int)($_GET['pid']);

        // Category Listing

        if( empty($cid) && empty($pid) )
        {
                $number_of_categories_in_row = 4;

                $result = mysql_query( "SELECT c.category_id,c.category_name,COUNT(photo_id)
                                                FROM gallery_category as c
                                                LEFT JOIN gallery_photos as p ON p.photo_category = c.category_id
                                                GROUP BY c.category_id ORDER BY category_name" );
                while( $row = mysql_fetch_array( $result ) )
                {
                        $result_array[] = "<a href='index.php?cid=".$row[0]."'>".$row[1]."</a> "."(".$row[2].")";
                }
                mysql_free_result( $result );        

                $result_final = "<tr>\n";

                foreach($result_array as $category_link)
                {
                        if($counter == $number_of_categories_in_row)
                        {        
                                $counter = 1;
                                $result_final .= "\n</tr>\n<tr>\n";
                        }
                        else
                        $counter++;

                        $result_final .= "\t<td>".$category_link."</td>\n";
                }

                if($counter)
                {
                        if($number_of_categories_in_row-$counter)
                                               $result_final .= "</tr>";
                }
        }


        // Thumbnail Listing<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

        else if( $cid && empty( $pid ) )
        {
                $number_of_thumbs_in_row = 1;

                // If current page number, use it
                // if not, set one!

                if(!isset($_GET['page'])){
                    $page = 1;
                } else {
                    $page = $_GET['page'];
                }

                // Define the number of results per page
                $max_results = 20;

                // Figure out the limit for the query based
                // on the current page number.
                $from = (($page * $max_results) - $max_results);
                        
                        $result = @mysql_query( "SELECT photo_id,photo_caption,photo_filename,enddate FROM gallery_photos WHERE photo_category='".addslashes($cid)."' LIMIT $from, $max_results");
                   
                        $countdown = cntdwn($enddate);
               
                        $nr = @mysql_num_rows( $result );
                        
                                         
                              
                if( empty( $nr ) )
                {
                        $result_final = "\t<tr><td><div align=\"center\"><strong>No Ithems in this category found!</strong>
                                                <br><br><font size=\"2\"><a href='index.php'>Back to Photo Gallery Category List</a></font>
                                                </div></td></tr>\n";
                }
                else
                {
                        while( $row = mysql_fetch_array( $result ) )
                                 {
                                      $photoId = $row[0];
                          $caption = $row[1];
                          $filename = $row[2];
                          $enddate = $row[3];
                                      $countdown = cntdwn($enddate);
                                      $maxchar = abreviated_text( $text_to_display, $MAX_LEN );
                                     
                        $result_array[] = "<tr><td width='100' height='100'><a href='index.php?cid=$cid&pid=".$row[0]."'><img src='".$images_dir."/tb_".$row[2]."' border='0' alt='".$row[1]."' ></a></td>
                                    <td><a href='index.php?cid=$cid&pid=".$row[0]."'>$maxchar</td>
                                    <td><div style='text-align:center;'><a href='index.php?cid=$cid&pid=".$row[0]."'>".$year = substr($row[3],0,4)."/".$month = substr($row[3],4,2)."/".$day = substr($row[3],6,2)."</div></td>
                                    <td><p><div style='text-align:center;'><a href='index.php?cid=$cid&pid=".$row[0]."'>$day/$month/$year</a></div></p>
                                        <p><div style='text-align:center;'><a href='index.php?cid=$cid&pid=".$row[0]."'>$countdown</div></p></td>
                                    <td><div style='text-align:center;'><a href='index.php?cid=$cid&pid=".$row[0]."'>$countdown</div></td>
                                    </tr>";
                        }
                        mysql_free_result( $result );

                        $result = @mysql_query( "SELECT category_name FROM gallery_category WHERE category_id='".addslashes($cid)."'" );
                        list($category_name) = mysql_fetch_array( $result );
                        mysql_free_result( $result );

                         $result_final = "<tr><a href='index.php'>Categories</a> &gt; $category_name<br><br><br>";
       
                        foreach($result_array as $thumbnail_link)
                        {
                                if($counter == $number_of_thumbs_in_row)
                                {        
                                        $counter = 1;
                                        $result_final .= $category_link."\n</tr>\n<tr>\n";
                                }
                                else
                                $counter++;

                                $result_final .= "\t<td><div align=\"left\">".$thumbnail_link."</div></td>\n";
                        }
       
                        if($counter)
                        {
                                if($number_of_photos_in_row)
                        $result_final .= "\t<td colspan='".($number_of_thumbs_in_row)."'></td>\n";
                        $result_final .= "</tr>\n";
                        // Figure out the total number of results in DB:
$total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM gallery_photos WHERE photo_category=".addslashes($cid).""),0);

// Figure out the total number of pages. Always round up using ceil()
$total_pages = ceil($total_results / $max_results);

if ($total_pages >1)
{  // build links if more than one page


// Build Page Number Hyperlinks
$result_final .=  "<tr><td colspan=5'".$number_of_thumbs_in_row."'>Page: ".$page.' of '.$total_pages."<br>";


// Build Previous Link
if($page > 1){
    $prev = ($page - 1);
    $result_final .=  "\n<a href=\"".$_SERVER['PHP_SELF']."?cid=$cid&page=$prev\" title='Previous Page'>&lt;&lt; Prev</a>";
}

for($i = 1; $i <= $total_pages; $i++){
    if(($page) == $i){
        $result_final .= "&nbsp;[$i]";
        } else {
            $result_final .=  "\n<a href=\"".$_SERVER['PHP_SELF']."?cid=$cid&page=$i\" title='Page ".$i."'>$i</a>";
    }
}

// Build Next Link
if($page < $total_pages){
    $next = ($page + 1);
    $result_final .=  "\n<a href=\"".$_SERVER['PHP_SELF']."?cid=$cid&page=$next\" title='Next Page'>Next &gt;&gt;</a>";
}
$result_final .=  "\n</td></tr>";

}
else
{
$result_final .=  "\n";
}
}
}
}

        // Full Size View of Photo
        else if( $pid )
        {
                $result = mysql_query( "SELECT elm1,photo_caption,photo_filename,enddate FROM gallery_photos WHERE photo_id='".addslashes($pid)."'" );
                list($elm1,$photo_caption, $photo_filename,$enddate) = mysql_fetch_array( $result );
                $nr = mysql_num_rows( $result );
                mysql_free_result( $result );        

                if( empty( $nr ) )
                {
                        $result_final = "\t<tr><td>No Photo found</td></tr>\n";
                }
                else
                {
                        $result = mysql_query( "SELECT category_name FROM gallery_category WHERE category_id='".addslashes($cid)."'" );
                        list($category_name) = mysql_fetch_array( $result );
                        mysql_free_result( $result );        
                       
                                    $countdown = cntdwn($enddate);
                                    
                                    
                        $result_final .= "<tr>\n\t<td>
                                                <a href='index.php'>Categories</a> &gt;
                                                <a href='index.php?cid=$cid'>$category_name (Thumbnail Listing)</a></td>\n</tr>\n";

                        $result_final .= "<tr>\n\t<td align='center'>
                                        <br />
                                        <img src='".$images_dir."/".$photo_filename."' border='0' alt='".$photo_caption."' />
                                        <br />
                                        $photo_caption
                                                            <br />
                                        $year/$month/$day $countdown
                                                            $elm1
                   
                                        </td>
                                        </tr>";
                }
        }

// Final Output
echo <<<__HTML_END

<html>
<head>
        <title>Gallery View</title>
</head>
<style type="text/css">
<!--
.timeremain {
      font-weight: bold;
      color: #000099;
}
.finishedtext {
font-weight: bold;
color: #FF9900;
}

-->
</style>

$design_header
<body>
<FORM NAME="login" METHOD="post" ACTION="login.php">
  <table border="0" align="center" cellpadding="3" cellspacing="3">
    <tr>
      <td><font color="#000000" size="1">Username:</font></td>
      <td><input type="text" size="10" name="user"></td>
      <td><font color="#000000" size="1">Password:</font></td>
      <td><input type="password" size="10" name="pass"></td>
      <td><input type="submit" name="submit" value="Log In"></td>
    </tr>
  </table>
</FORM>
<table width='100%' cellspacing='3' cellpadding='3' border='1' bordercolor='black' align='center'>
$result_final                
</table>
$design_footer
</body>
</html>

__HTML_END;
?>

Author

Commented:
Thnx  Tomeeboy for your reply....
But again the same... :((

Not accessed directly .
accessed by joomla but only the category listing

:((
 

 
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Harisha M GEngineer
CERTIFIED EXPERT

Commented:
Where are the lines

$refferer = $_SERVER['HTTP_REFERER'];
$yoursite = "http://localhost/index.php";


It should be like this:

<?
$refferer = $_SERVER['HTTP_REFERER'];
$yoursite = "http://localhost/index.php";

if (substr ( $refferer, 0 ,strlen($yoursite)) == $yoursite){
die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}
...

Author

Commented:
Same mgh_mgharish ... :(((

Thnx Tomeeboy !!!

Working !!!

:))

Thnx
CERTIFIED EXPERT

Commented:
Glad it's working.

Btw, the reason why mgh_mgharish's last suggestion didn't work is because it's displaying the error for the wrong reason:

if (substr ( $refferer, 0 ,strlen($yoursite)) == $yoursite){
die ("Sorry, this page is not available from $refferer. Please visit $yoursite to see the page correctly!");
}

This is telling the script to display the referrer error ONLY if the referring page is http://localhost/index.php, which is obviously not what we're wanting to do.  It should have been != instead of ==.  The concept was correct, but the implementation was just flipped.
Harisha M GEngineer
CERTIFIED EXPERT

Commented:
:-)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.