1

I have a file.php?q=data that returns json data, but I don't want other websites to query my database through this file and I don't know what to do. I just have this:

if($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']) exit();

Do you have any idea abut how to handle this security issue? Thank you very much.

alvizouri
  • 83
  • 2
  • 7

5 Answers5

1

So you want to let users access this files (probably via your other web page) but don't want competitors to access this web page? Then you need to just find out, what makes a competitor different from regular user. This problem doesn't have a definite bullet-proof solution.

You can try to limit user access by implementing some kind of authentication and counting user's request number. But these are half-measures.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
0

Assuming it is web visitors accessing the data, set a PHP session variable when they access any page (or the page containing the link to file.php). Then have file.php check for the existence of that variable.

;o) Cor

Cor
  • 21
  • 1
0

Try using HTTP_REFERER part of the $_SERVER variable.

Also you can use some mod_rewrite rules to prevent hotlinking of your files. See tutorial here

Naftali
  • 144,921
  • 39
  • 244
  • 303
0

If it is really a security issue to you, you will need to control the access. This can be done by requiring authentication to access the URL in question, e.g. by making use of HTTP authentication with PHP.

For some easy to circumvent prevention, you can check for the HTTP Referer Header that is send by some browsers:

$_SERVER['HTTP_REFERER']Docs - The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Related: How to protect download URLs to be stolen with PHP?

Community
  • 1
  • 1
hakre
  • 193,403
  • 52
  • 435
  • 836
  • But note that everyone can simply send the referer, for example with cURL. So he could set the referer to your domain and all data will be output! – ComFreek Aug 09 '11 at 17:00
  • Sure, that's why I wrote that it is easy to circumvent, it's just only a first little block against javascript based requests from other sites. It's not a real protection, if you need it secure you need authentication to stay in control. – hakre Aug 09 '11 at 20:41
0

HTTP_HOST and SERVER_NAME always refer to YOUR server. You cannot detect a remote user in this way. HTTP_HOST is the name of the site as requested by the user in the URL. SERVER_NAME is (usually) the name of the server itself, and/or whatever is specified in Apache as 'ServerName'.

HTTP_HOST and SERVER_NAME are usually different. The server itself may be named "someweird numbers.your.hosting.company.com", while HTTP_HOST will be "yoursite.com".

Marc B
  • 356,200
  • 43
  • 426
  • 500