Zubrag.com
May 22, 2012, 05:50:38 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Zubrag.com :: Forum > zubrag.com > Questions About Our Scripts > Smart File Download > Hotlink blocking in IE7?
Pages: [1]
  Print  
Author Topic: Hotlink blocking in IE7?  (Read 2086 times)
lee_mackey
Newbie
*
Posts: 1
« on: May 05, 2009, 11:49:46 am »
Thanks a bunch for this script. However IE 7 complains about the hotlink blocking feature. (Attempts to call the script from IE7 generate the fake "Internal server error" message.)

It looks to me as if perhaps IE7 doesn't set the HTTP_REFERER variable? which would cause line 75 of download.php to fail. A little googling seems to confirm that at best HTTP_REFERER is unreliable or problematic. Note: Firefox is fine, and any Mac browsers work fine too.

In any case, this forces me to have to disable hotlink blocking. Any suggestions?

Logged
mtg
Newbie
*
Posts: 15
« Reply #1 on: May 06, 2009, 10:14:38 am »
Well the HTTP_REFERER can always be easily forged, so if the files are of any importance, I wouldn't bother with trying to prevent hotlinking. If they are important files that you want to be secure, you should have them protected behind some type of authentication. Then just include a script at the top of your download script that checks to make sure the user is logged in.

Could be a problem with your browser configuration or some other software on your machine that is altering the HTTP_REFERER in IE. What you can do is write a simple script that just outputs the referer:

referervalue.php
Code:
<?php
echo $_SERVER['HTTP_REFERER']
?>

Then have a page that links to it to check the referer value:
referertest.php
Code:
<a href="referervalue.php">test</a>

When you click the test link, referervalue.php should show referertest.php as being the referer. If it shows anything else, then something's going on with your browser.

The download script only checks to see if the referer is blank or if it doesn't match the allowed referer, so I don't think it's a problem with the script. Either your browser is not passing a referer at all or it simply doesn't match up. What is the allowed referer set to and where are you accessing the download links from?

If you're running Apache, you could also try to prevent hotlinking with .htaccess, but that also relies on the HTTP_REFERER. It's worth giving a shot I guess. Here's a tool to generate the .htaccess file: http://www.htaccesstools.com/hotlink-protection/


Also, if you want, you can allow blank referers. Really you should and I think that's what your problem is anyway. I believe you just need to change this code:
Code:
// If hotlinking not allowed then make hackers think there are some server problems
if (ALLOWED_REFERRER !== ''
&& (!isset($_SERVER['HTTP_REFERER']) || strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)
) {
  die("Internal server error. Please contact system administrator.");
}


to this:
Code:
// If hotlinking not allowed then make hackers think there are some server problems
if (ALLOWED_REFERRER !== '' && isset($_SERVER['HTTP_REFERER'])
&& (strpos(strtoupper($_SERVER['HTTP_REFERER']),strtoupper(ALLOWED_REFERRER)) === false)
) {
  die("Internal server error. Please contact system administrator.");
}

This way it only checks if the referer matches the allowed referer if the $_SERVER['HTTP_REFERER'] variable is set instead of giving you an error if it's not set or doesn't match.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC