getenv ... i think

Hi all,

http://steven.macintyre.name/myscript.phps

is my code as it stands

The purpose of the code is as follows;

Its for a non-profit company - wanting to offer "support" banners for users
who pay for them right ... as in donation.

They want to be able to restrict those banners to a certain period "the
bought period" and I want to restrict them to only access the banners from
the specified URL when they signed up.

IE ... if you signed up with http://www.yourlovelydomain.com i want to be
able to limit the display of these banners depending on the hash and somehow
- checking the domain its coming from

Any ideas - am i on the right track ?

If i take OUT the getenv if then, it works ... so i know that is where the
problem is.

S

Steven Macintyre wrote:
> Hi all,
>
> http://steven.macintyre.name/myscript.phps
>
> is my code as it stands
>
> The purpose of the code is as follows;
>
> Its for a non-profit company - wanting to offer "support" banners for users
> who pay for them right ... as in donation.
>
> They want to be able to restrict those banners to a certain period "the
> bought period" and I want to restrict them to only access the banners from
> the specified URL when they signed up.
>
> IE ... if you signed up with http://www.yourlovelydomain.com i want to be
> able to limit the display of these banners depending on the hash and somehow
> - checking the domain its coming from
>
> Any ideas - am i on the right track ?
>
> If i take OUT the getenv if then, it works ... so i know that is where the
> problem is.
>
> S

First of all, be VERY MINDFUL of SQL-injection attacks. Right now your
code is *very* vulnerable. Now, your problem is exactly as you stated:
you don't get the data in the expected format. getenv ("REMOTE_HOST") is
NOT the referrer. Furthermore, the referrer (which I don't recall what
it is sent as exactly, as 'REFERER' I guess (usually gotten via $_SERVER
or $_ENV, but getenv() should also work)) is not 'just' the domain name
but also includes the path, so you have a huge chance that it won't be
exactly what you expect it to be. Parse the url (parse_url() is your
friend), extract the host and match against that.

- Tul

Steven Macintyre wrote:

> If i take OUT the getenv if then, it works ... so i know that is where
> the problem is.

I didnt bother with reading all your code, but maybe you should use
$_SERVER['REMOTE_HOST'] instead of the getenv() call ?


/Per Jessen, Zürich

> -----Original Message-----
> From: Per Jessen [mailto:per@computer.org]
> Sent: Thursday, November 22, 2007 8:08 AM
> To: php-general@lists.php.net
> Subject: Re: [php] getenv ... i think
>
> Steven Macintyre wrote:
>
> > If i take OUT the getenv if then, it works ... so i know that is
> where
> > the problem is.
>
> I didnt bother with reading all your code, but maybe you should use
> $_SERVER['REMOTE_HOST'] instead of the getenv() call ?
>
>
> /Per Jessen, Zürich
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

Maybe this is what you want... take a look (in a syntax highlighting PHP editor):

<?php
$hash = $_GET['hash'];
require_once('db.class.php');

$db = new db_class;
$db->connect();

/*
You should have an escape method in the db class, otherwise take a look at mysql_real_escape_string - for MySQL
Also, beware of magic quotes if they are enabled they can mess things up (not in this case,
but as a general hint).
I usually put things like these in an .htaccess file.
Here's a sample, for a site under construction:
php_flag short_open_tag on
php_flag register_globals off
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag magic_quotes_sybase off
# Switch to off in production stage
php_flag display_errors on
php_value error_reporting 2039
# This setting depends on you requirements
php_value max_execution_time 300
*/
$safeHash = $db->escape($hash);
/*
If your db class doesn't have an escape method you can do
$safeHash = mysql_real_escape_string($hash);
*/

$r = $db->select("SELECT duration, label, website FROM hhcu_codonations where hash = '$safeHash' AND valid = '1'");

while ($row=$db->get_row($r)) {
// found record - lets see if we can display the image and which image
extract ($row);
$now = time();
if ($duration >= $now) {
/*
The call on this is as follows;
<img src="http://mydev.co.za/myscript.php?hash=ARBHASHCODE" border='0'>
*/
$referer = $_SERVER['HTTP_REFERER'];
$params = parse_url($referer);
// Beware of gotchas if the referer has no "www" in the host param
// We'll add "www." to the host if it's not there
$host = (substr($params['host'], 0, 4) == 'www.') ? $params['host'] : 'www.'.$params['host'];
// Now $host holds something like "www.subscribersite.com"
$refererWebsite = $params['scheme'].'://'.$host.'/';
/*
So now, the referer is the expected referer or not
You don't need to use MD5 here, you've already checked the hash
when you queried the DB. You now need to check that the referer is right for the supplied hash
I'm assuming here you are only hashing the website's url. You would only need to check the hash
against the request headers if you use a more complex hashing strategy like the following

define('HASH_SALT', 'a secret string');
$websiteUrl = 'http://www.subscribersite.com/';
$websiteIP = '60.50.40.30';
$hashToStoreInDB = md5($websiteUrl.$websiteIP.HASH_SALT);

But if you use such a method, you wouldn't need to check the referer either, you'd build a tentative
hash out of the $_SERVER parameters (HTTP_REFERER, REMOTE_ADDR) and the HASH_SALT constant,
match that tentative hash against the supplied hash ($_GET['hash']), and then look up that hash
in the database if both hashes match... that would be all
*/
if ($refererWebsite == $website) {
switch ($label) {
// ... code to follow
}
}
}
}