PHP session protect from iFrame?

I have a php results page that queries a MySQL database and produces results.  The format to get results is like this:  mypages.php?city=atlanta

This works great but its come to my attention that other people are using the results page and my database within a iFrame on their site without my permission.  I have gone to a great deal of expense to compile this database and was wondering what I can do as far as includes in the page somehow to redirect the page to another page if the request does not originate from the domain the page is installed on?

I hope that makes sense?  Please provide exact code to do this as this is new to me.  Thanks for your help.
pda4meAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
This is supposed to make your page 'break out' of the iframe and become the top page.
<script type="text/javascript">
	<!--
		if (top.location!= self.location) {
			top.location = self.location.href
		}
	//-->
</script>

Open in new window

Dave BaldwinFixer of ProblemsCommented:
It appears to work so I think I'll be using it on my pages.
pda4meAuthor Commented:
But that will still display the page with the "stolen" result won't it?  How do I redirect to another page instead?
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Dave BaldwinFixer of ProblemsCommented:
You would have to change the 'self.location.href' to another page like below.  It only goes to that page if it is in an frame.
<script type="text/javascript">
	<!--
		if (top.location!= self.location) {
			top.location = "http://www.redirect.com"
		}
	//-->
</script>

Open in new window

pda4meAuthor Commented:
This is close but won't this also have the same effect if I use a iFrame to access the information within my own site?  Is there a way with PHP to limit the use of the page by checking if it came from localhost or by IP?
Dave BaldwinFixer of ProblemsCommented:
Yes, it will activate on any iFrame.  There are a lot of ways to limit access in PHP but the 'referer' can be spoofed.  You can also use logins, sessions, or access codes.  If you're using PHP, there's not much reason to be using an iframe on your own site since you can conditionally 'include' your results in your own PHP page that has the javascript to break out of an iframe.
pda4meAuthor Commented:
The issue is that the php in question is called from a custom widget for WP and I need to have a much larger block of code updated to move to a PHP include instead of the existing iFrame.  Is there a down and dirty php method I can do that would only run the php page if it originated from the same domain?  I am thinking I could discourage a good number of the mooches with just that.
Dave BaldwinFixer of ProblemsCommented:
You could use the referer field realizing that if enough money was at stake, someone would spoof it and get the data anyway.  This is the code I use to test whether I'm on my test server or production server.  You could use some variation of it to decide whether you want to display or exit with a blank page.
$svraddr = $_SERVER['SERVER_ADDR'];
if ($svraddr == "www.mysite.com") .....

Open in new window

pda4meAuthor Commented:
Cool, that should do the trick, can you please provide a full php function so I can copy and paste?  I am thinking it could echo "not authorized" if its not from the referrer or redirect to another page like www.disney.com?
Dave BaldwinFixer of ProblemsCommented:
I believe this should work.  Put this code before your own code and your own website address in the second line.
$svraddr = $_SERVER['SERVER_ADDR'];
if ($svraddr != "www.yoursite.com") {
  header('Location: http://www.disney.com/');
  exit;
  }
// followed by your code here.

Open in new window

Dave BaldwinFixer of ProblemsCommented:
Actually that doesn't work.  It is always running on it's own server.  Maybe this?
$svraddr = $_SERVER['HTTP_REFERER'];
if ($svraddr != "www.yoursite.com") {
  header('Location: http://www.disney.com/');
  exit;
  }
// followed by your code here.

Open in new window

pda4meAuthor Commented:
Is there a way to do it by IP address instead?
Dave BaldwinFixer of ProblemsCommented:
Try this.  The problem here is that PHP can not detect the iframe.  It just sees a page request.  You may have to use a more complicated combination of javascript and PHP to accomplish your task.

The server variables you can use are on this page: http://www.php.net/manual/en/reserved.variables.server.php  Not all are available on all servers.
$svraddr = $_SERVER['REMOTE_ADDR'];
if ($svraddr != "11.22.33.44") {
  header('Location: http://www.disney.com/');
  exit;
  }
// followed by your code here.

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Is there a way to do it by IP address instead?

No.  

You should try what DaveBaldwin first suggested - test the HTTP_REFERER and see if it works for you.  Or you should set up a session variable before loading the iFrame.

I'll try a couple of examples and post what I can find about this.
Ray PaseurCommented:
OK, after some testing I've concluded that the session variable is not a viable option - probably due to the way servers and clients handle cookies.  But this worked for me.  First script is the IFRAME code.  Note that there is a hardwired test for a substring of HTTP_REFERER.
<?php // RAY_temp_pda4me_iframe.php
error_reporting(E_ALL);


// THIS MIGHT BE PACKAGED INTO A FUNCTION
$workable = FALSE;
if (isset($_SERVER["HTTP_REFERER"]))
{
    // A HARD-WIRED TEST FOR THE DOMAIN NAME
    if (strpos(strtoupper($_SERVER["HTTP_REFERER"]), 'LAPRBASS.COM'))
    {
        $workable = TRUE;
    }
}

if (!$workable)
{
    // GO SOMEWHERE ELSE
    header("Location: http://google.com/");
    exit;
}


// AFTER THE FUNCTION IS RUN, THE REST OF THE SCRIPT SHOULD BE OK
echo "<br/>Hello World from inside the Iframe";
echo "<br/>The URL GET arguments are here:";
echo "<br/>";
var_dump($_GET);

Open in new window

Ray PaseurCommented:
Next is the foreign script that tries to access the iFrame...  You can install this on your own server and try to get to the iframe.  I think if you're smart about how you use CURL you may be able to fool the iframe script's internal test, but I will leave that as an exercise for the hackers.
<?php // RAY_temp_foreign_pda4me.php
error_reporting(E_ALL);
?>

<p>HELLO WORLD FROM THE TOP OF THE MAIN SCRIPT</p>

<iframe src="http://LAPRBass.com/RAY_temp_pda4me_iframe.php?city=atlanta">OOPS - NO IFRAME SUPPORT</iframe>

<p>HELLO WORLD FROM THE BOTTOM OF THE MAIN SCRIPT</p>

Open in new window

Ray PaseurCommented:
Next is the local script on the LAPRBass.com site.  Notice that it is the same as the foreign script.  It works here, but not on the foreign server.  I will leave these URLs in place for a little while so you can test and see what happens.

http://www.laprbass.com/RAY_temp_local_pda4me.php
http://www.nationalpres.org/RAY_temp_foreign_pda4me.php

Best to all, ~Ray
<?php // RAY_temp_local_pda4me.php
error_reporting(E_ALL);
?>

<p>HELLO WORLD FROM THE TOP OF THE MAIN SCRIPT</p>

<iframe src="http://LAPRBass.com/RAY_temp_pda4me_iframe.php?city=atlanta">OOPS - NO IFRAME SUPPORT</iframe>

<p>HELLO WORLD FROM THE BOTTOM OF THE MAIN SCRIPT</p>

Open in new window

pda4meAuthor Commented:
Looks good, is there NO way to use IP.  The situation is that I have a shared IP where multiple domains will use the iframe locally from that shared IP but the domains are diffrent.  The IFrame will be called from each of these unique domains.  Is the only solution to hard code the domains allowed access somehow?
Ray PaseurCommented:
How many domains are we talking about?  To pick an arbitrary number, if it's less than a thousand, I would just hard code them into a function call.  More than that, I'd go with a data base table.  You might use an array of complete names and test with in_array() or use some kind of strpos() or REGEX matching.

You can try translating the URL to an IP address or look at phpinfo() and see what you're getting in there.  I didn't really research it because I don't trust the IP address as much as I trust the HTTP_REFERER.  I like the idea of letting the internet work with meaningful names.  Easier to read, remember, understand.  Of course, either one could be phony, and if you really want to protect the script, you probably need to put it behind SSL and use authentication (maybe OAuth).
Dave BaldwinFixer of ProblemsCommented:
"The situation is that I have a shared IP where multiple domains will use the iframe locally from that shared IP but the domains are diffrent.  The IFrame will be called from each of these unique domains."

No, it won't.  It will be called from the viewer's browser which could be anywhere and any IP in the world.
pda4meAuthor Commented:
Actually we are talking just a handful of names, less than 20 actually.  It does not need to be to the level of a developer just to unscrupulous web users that know how to use a iframe within wordpress for example.

in this scenario, how would I extend this to cover a few other domains to check?

    if (strpos(strtoupper($_SERVER["HTTP_REFERER"]), 'LAPRBASS.COM'))
Ray PaseurCommented:
You might use an array of complete names and test with in_array() or use some kind of strpos() or REGEX matching.  Let's say you want to allow only domains with "www.laprXXXX" in the name.  You might test for "www.lapr" and ignore the XXXX part.  It all depends on your needs, your security sensitivity, etc.  This is both art and science.  We cannot determine it for you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.