Page 1 of 1

protecting files from leechers/hotlinking

Posted: Wed Jun 30, 2004 10:48 am
by rxero
Hey I wanted to prevent people from leeching my bandwith. Last month I had 10GB of leeched traffic from 1 file. I found some code in the forum that kind of hid the file path but it's not exactly perfect.

Code: Select all

<?php 
if(IsSet($file)) 
{ 
header("location: ./path/$file"); 
} 
else 
{ 
echo "what do you want?"; 
} 
?>
now people could copy that link and still link to it and not know the real path but still steal my bandwith. So i tried doing an http_referer in there but it always came up with the domain of my site when i tried running it from an html document locally. all the links are on my front page. my site is http://www.jaredindustries.com could someone edit this code or tell me what to do to prevent this from happening? below is what i tried to do it has the address of my site in there so you can see what i'm talking about

Code: Select all

<?php
if(IsSet($file) && $HTTP_REFERER="http://www.jaredindustries.com") 
{ 
header("location: ./funstuff/$file"); 
} 
else 
{ 
echo "what do you want?"; 
} 
?>

Posted: Wed Jun 30, 2004 10:55 am
by lostboy
consider using sessions and checking for those session object on each page, also check the server_name to see where the script call is coming from

Code: Select all

//check if a current session is in place and the user is correctly logged in 
//also check the calling page / domain to ensure the call only comes from 
//this domain -- this check may take a little configuration to get the 
//correct host name, as it may be a virtual host with the webserver 
//It's also possible, though more difficult to maintain, to use a list of all 
//the possible pages in your site that access the db and check that list 
//against the current calling page 

if ($SESSION['logged_in'] != "some_value")&&($_SERVER['SERVER_NAME']!="my_host_name"){ 
   echo "<span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> off, hackers!"; 
  die(); 
}

Posted: Wed Jun 30, 2004 11:06 am
by rxero
so is that server name variable the name of the server this file was called from? my site doesn't require a login so i'm not sure about that first part.

Posted: Wed Jun 30, 2004 11:11 am
by lostboy
You can still enable sessions, logins are not required, it would just help track users. Then simply check to see if you have an active session, maybe log the IP of the user and store that in a session.

Yes, servername is your hosted server

Posted: Wed Jun 30, 2004 1:03 pm
by John Cartwright
like on your main page just have a session var like

Code: Select all

<?php

$_SESSION["logged"] = "set";

?>
and then check when download files if the session "logged" has been set ot not

Posted: Wed Jun 30, 2004 2:14 pm
by pickle
I know you want to do this with PHP, but FYI, Here's how to do it with an .htaccess file. Same logic I'd imagine.