2

i made this simple code to prevent hotlinking my files from my php download file :

if ((strpos($_SERVER['HTTP_REFERER'],'www.domain.com')!==0)) {
    $redirect='index.php';
    header("Location: $redirect");
    exit;
}

it's not working , it always redirect me to index.php even if i clicked the link inside my wbesite. i tried to change the domain to many types like :

http://www.domain.com
www.domain.com
domain.com
domain

but still the same problem

Aamir
  • 5,324
  • 2
  • 30
  • 47
Alamri
  • 2,112
  • 2
  • 16
  • 21
  • what is the value of `$_SERVER['HTTP_REFERER']`? – Jayson O. Nov 07 '12 at 02:43
  • 2
    1. `var_dump($_SERVER['HTTP_REFERER']);` 2. You need to redirect only if referer exists and isn't equal to your domain. Do nothing otherwise – zerkms Nov 07 '12 at 02:44
  • why not use .htaccess to do this ? beware that HTTP_REFERER is very unreliable you will end up blocking some legit people –  Nov 07 '12 at 02:47
  • @Dagon, That would be a valid secondary method. You should post it as a possible answer. – Brad Nov 07 '12 at 02:48
  • i can'tuse htaccess because i'm streaming the download from php file using headers – Alamri Nov 07 '12 at 02:57

2 Answers2

4

i found the solution, i just made a compare between HTTP_REFERER and the HTTP_HOST using strpos, if they match that mean there is no hotlinking. the code :

if($_SERVER['HTTP_REFERER'])
   {
      if(!strpos($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))
         {
            $redirect='index.php'; 
            header("Location: $redirect");
         }
   }
Andrei Surdu
  • 2,281
  • 3
  • 23
  • 32
Alamri
  • 2,112
  • 2
  • 16
  • 21
  • I stumbled upon this while looking for a `htaccess` code solution and realised it was a more suitable approach. Just wanted to mention that when you paste a link via the empty browser window, `$_SERVER['HTTP_REFERER']` was `NULL` in my case so the code won't work then. I've left the first condition out altogether myself and it's still behaving as expected. – Shikkediel Jul 20 '20 at 14:17
1

You actually want to use !== FALSE instead. The string could be at position 0. Also include zerkms' suggestion:

if (!empty($_SERVER['HTTP_REFERER']) && 
    (strpos($_SERVER['HTTP_REFERER'],'www.domain.com') !== FALSE)) {

Documentation: http://php.net/manual/en/function.strpos.php

Brad
  • 159,648
  • 54
  • 349
  • 530
  • thanks Brad, it didn't work , i just made a compare between HTTP_REFERER and HTTP_HOST and if they match that mean there is not outdoor request. – Alamri Nov 07 '12 at 02:57
  • @Alamri, What's in your `$_SERVER['HTTP_REFERER']`? What's showing up in your `$_SERVER['HTTP_HOST']`? – Brad Nov 07 '12 at 02:58
  • REFERER show me the link of the previous page e.g :`http://domain.com/?p=123` and the HOST only show me the domain e.g `domain.com` so just use strops to match the both strings – Alamri Nov 07 '12 at 03:07
  • It's been 10 years already since I asked this question, I randomly browsed my questions and saw your answer. How you doing? – Alamri Dec 25 '22 at 01:14