2

I have this php script:

include 'include.php';

The script will be on http://ppyazi.com/twitterimg.php. So people will be running this script on other domains:

<img src="http://ppyazi.com/twitterimg.php?id=QuixD3V" class="logo" />

I want the php include script to only run if http://ppyazi.com/twitterimg.php is being requested from another domain for example https://banakin.net, but if being requested from http://ppyazi.com or any files/directories in it to not run the script.

Improve this question
2
  • 2
    You can use $_SERVER['HTTP_REFERER'] to check request is coming from which server Commented Dec 29, 2017 at 6:24
  • 1
    please explain in more detail. Commented Dec 29, 2017 at 6:34

2 Answers 2

Reset to default
3

you can use HTTP_REFERER to restrict hotlinking

add this on your php

Simple example:

strstr($_SERVER['HTTP_REFERER'], 'ppyazi.com') or exit('denied');
// ... some codes that renders image
// e.g
// header('Content-Type: image/png');
// echo file_get_contents('image_file.png');

Complex example:

/**
 * Returns boolean (true/false)
 * @param  string $sHostName Provide hostname
 * @return bool
 */
function isHost($sHostName) {
    return strstr($_SERVER['HTTP_REFERER'], $sHostName);
}

if (isHost('ppyazi.com') === true) {
    // do something you want if your domain is on ppyazi.com
} else {
    // remove something you want if you are out of ppyazi.com
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

you can add it on ppyazi.com/twitterimg.php so that if other link the image using twitterimg.php outside ppyazi.com it will exit
there is more on that link. I need to hide 1 line if the domain is ppyazi.com
if that so you can make use of strstr($_SERVER['HTTP_REFERER'], 'ppyazi.com') to check if you are on ppyazi.com it returns boolean.
please give an example
I have updated the example, if it does not what you want to do please do update your question also and adding some scenario may help us to understand your question. Plus showing us your code may help also.
0

My host does not even provide $_SERVER['HTTP_REFERER'] anymore because it is so easy to spoof. When I need to check if something came from my own server using php I check the following:

if($_SERVER['REMOTE_ADDR'] !== $_SERVER['SERVER_ADDR']) {
    // we have a match so go forth
    }

I don't use this as my only check if it needs to be secure, but it certainly helpful as a first check to keep prying eyes and spiders from triggering the rest of the script. Although it is possible that another site on a shared server could use the same IP. I am using a VPS, so that is not a concern for me. If someone is snooping using another site on my server, then I have bigger problems to deal with.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.