I've hacked my attachment.php script to prevent users from posting an attachment on my board, and then using the HTML to display it somewhere else. This prevents people from posting a pic on your board, then using your bandwidth to place that pic elsewhere. It is a tiny code change.

I've substituted my own logo, (LOL), but you can replace that with anything, or just use the "exit;" line to eliminate the pic entirely.

In attachment.php, right after:
require("./global.php");

Add the following code:
// Cross-link hack by Guru 2/24/2002
// Check that we aren't linked somewhere else
$url = parse_url($_SERVER['HTTP_REFERER']);
$checkurl = strtolower($url["host"]);
if (! strstr($checkurl, "yourdomain")) {

// Remove this code if you just want to break the image
// Substitute my Logo
header("Content-Type: image/gif");
$filename = "/usr/public_html/grafix/logo.gif";
$image = fread(fopen($filename,"r"),100000);
echo $image;
fclose($image);
// End Substitute my Logo

exit;
}

Change yourdomain to your actual domain name, and the logo URL to what you want to replace the cross-linked image with.

NOTE: Changed to use the full path in "$filename = ..." to get this to work on some servers.

ANOTHER: See this post in this thread for a modification that works on Win32 servers: https://vborg.vbsupport.ru/showthread.php?s=&postid=297895#post297895

AGAIN: If you modify avatar.php similarly, you can prevent people from cross-linking your avatars: https://vborg.vbsupport.ru/showthread.php?s=&postid=303893#post303893

UPDATE: The parse_url line is slightly different to use the new PHP syntax.

Excellent hack, most useful! Keep up the good work/hacks

so, just making sure, this hack will, if someone goes to say http://www.stealsomeonesbandwidthbypostingthepicthatishos tedontheirserver.com and links to a pic on http://www.yoursite.com it will replace the pic with one of your choice such as "image hosted by coderforums.net"?

Yep. That's it exactly.

Can you add more than one domain? For example do I need to add forum.racesimcentral.com AND www.racesimcentral.com, or just put racesimcentral.com?

if (! strstr($checkurl, "racesimcentral.com")) {

Right?

Never mind I checked and found racesimcentral.com is enough. :)

You can substitute "yourdomain" for just a part of your domain name. If you have ".com" and ".net" mapped to the same forum, then you could use just the base portion of you domain name. For example: yourdomain.com and yourdomain.net would be protected by just putting yourdomain in the check line.

wow thanks :)

mm this is a great hack! I am going to install now and shall tell you how it works out :)

works great as far as I can tell!

Just testing :)

http://www.coderforums.net/attachment.php?postid=252

it does not work for me in 2.21. I am able to view attachment from dreamweaver and from anywhere

Try to view the attchment from a site that is not related to yours... look at nafae's post, above...

Testing
https://vborg.vbsupport.ru/

Originally posted by voogru
Testing
http://forums.voogru.com/attachment.php?s=&postid=1954

heh heh...

Hey! Post your own variations here! We'd all like to see.

I rather not :) Rated R label... teach those pesky bandwidth stealers a lesson. ;)

I was thinking of using my avatar and use the text "You want your ear bit off too??"

Originally posted by Guru
Try to view the attchment from a site that is not related to yours... look at nafae's post, above...

I tried the same. It will not work. Unlucky me.

This is an awesome, money-saving hack! Thank you very much! I'm going to give it a shot right here...my new image is a giant orange logo with my URL... :D

http://forums.gtplanet.net/attachment.php?s=&postid=125055

http://www.pakdef.info/forum/attachment.php?s=&postid=7926&fullpage=1

testing

just a test
http://20ishparents.com/boards/attachment.php?s=&postid=265730

again

If you post or send me the code snippet that you added, I'll try to help you figure out what is wrong.

This substitutes my logo, as it should, with my browser:

http://adultadventurers.com/vbulletin/attachment.php?postid=133823

I replaced the http with full filepath and it is working.
thanks.testing (http://www.haitiwebs.com/haitianforums/attachment.php?postid=50)

How do you use this nice hack if you have four different domain names :D

and is it posible to add your IP to the domains list :D

Thanks

you can modify this, and just

echo "this image can only be linked from yourdomain.com";
exit;


takes up less bandwidth than using an image :)

Originally posted by Remi
How do you use this nice hack if you have four different domain names :D

and is it posible to add your IP to the domains list :D

Thanks

if (false === strpos($checkurl, "firstdomain") ||
false === strpos($checkurl, "seconddomain")) {


IPs would require a different test...

Thank you very much Guru, is that the right way to add a third domain, Please correct me.

if ((false === strpos($checkurl, "firstdomain") ||
(false === strpos($checkurl, "seconddomain") ||
(false === strpos($checkurl, "thirddomain")) {

Sorry I don't know PHP :o

Originally posted by Remi
Thank you very much Guru, is that the right way to add a third domain, Please correct me.

if ((false === strpos($checkurl, "firstdomain") ||
(false === strpos($checkurl, "seconddomain") ||
(false === strpos($checkurl, "thirddomain")) {

Sorry I don't know PHP :o

That should work for as many domains as you want to include.

just testing too ;)

http://forum.dyt4concept.com/attachment.php?postid=5117

how would i add this to work with my avatars?

Avatars are attachments, as far as I know...

Originally posted by Guru
Avatars are attachments, as far as I know...

I like the http redirect better which works for me. Just upgraded to v2.2.4 and forgot the line for it. What's the code for thr http?

test

http://www.xboxusersgroup.com/forums/attachment.php?s=&postid=35322

http://www.xboxusersgroup.com/forums/avatar.php?userid=894&dateline=1018936815

Nice hack, here is a test of what shows on mine, just for anyone that wishes to view it.

http://www.bbaddons.com/forums/attachment.php?s=&postid=37

SaintDog

Nice hack! Please correct me if I'm wrong though, if you have set that only registered users can view attachments on your board, then most people would get the login screen anyway, right?

Originally posted by Tommy Boy
Nice hack! Please correct me if I'm wrong though, if you have set that only registered users can view attachments on your board, then most people would get the login screen anyway, right?

This hack seems very cool except for the above statement, plus, isn't putting a different picture that gets served up just like the other one would defeating the purpose a little?

Nobody wants to steal the bandwidth to serve an ad for my site...

Originally posted by Tommy Boy
Nice hack! Please correct me if I'm wrong though, if you have set that only registered users can view attachments on your board, then most people would get the login screen anyway, right?
Is that a standard option?

Originally posted by Guru

Is that a standard option?

Yes, it is.

BTW Mods, quoting a post with a quote seems not to work?

I want guests to be able to see the images and attachments... that's what we're selling. What I don't want is people using my bandwidth to post signature pics on other boards.

Just a little test from me.....

https://vborg.vbsupport.ru/

Originally posted by ixian
Just a little test from me.....

http://www.maximumgamer.com/forums/attachment.php?s=&postid=44037

You may want to fix the spelling of your site name in the substitute image...

Originally posted by Guru


You may want to fix the spelling of your site name in the substitute image...

Ya, as you can tell I whipped one up in like 20 seconds:) Need to find a better substitute anyway.

<a href="http://www.golden-springs.com/forums/attachment.php?s=&postid=1813" target="_blank">http://www.golden-springs.com/forums...s=&postid=1813</a>

<a href="http://www.seles-online.com/forums/attachment.php?postid=1" target="_blank">http://www.seles-online.com/forums/a...t.php?postid=1</a>

This hack works great. Thanks.

Seems like any referer-based functionality is being broken as each day passes. My IE6 users have no referer so they get blocked too. Various firewall packages also hide the referer. :(

Seems like we're going to have to use sessions/cookies to get this to work right... ugh.

A slight variation for those who are interested:

I have a forum set up so guests wouldn't be able to see the attachments, and attachments themselves are shown right in the thread (not with a link).

So the following change in code does the following:
- all guest see an specified image instead of an attachment.
- whoever tries to link to your attachment image from the different site will not be able to show it. the replacement image is going to show up instead of whatever is in attachment for all unregged people.

Find this in attachment.php:

$permissions=getpermissions($getforuminfo[forumid]);
if (!$permissions[canview] or !$permissions[cangetattachment]) {
show_nopermission();
}


and replace show_nopermissions(); with this:


header("Location: http://www.4adrive.com/img/attachment.jpg");
exit;


So here's how it should end up looking:

$permissions=getpermissions($getforuminfo[forumid]);
if (!$permissions[canview] or !$permissions[cangetattachment]) {
header("Location: http://www.4adrive.com/img/attachment.jpg");
exit;
}


Of course replace the url of the image to whatever you want displayed there.

I use the following image:
https://vborg.vbsupport.ru/

Thanks for the tip DR2000 -- I'll make those changes myself now. :)

And maybe you should note that the
Admin -> User Groups -> Modify -> Unregistered -> Can download attachments

should be set to 'No'.

BTW, 'member' is misspelled in your graphic. :p

Originally posted by Jujubee

BTW, 'member' is misspelled in your graphic. :p

Yish! Thanks for telling me. I was using that image for ages, and never knew. :)

Nice! The actual image doesn't show unless unregistered users click the attachment link. Is that how it should be?

Will this work with smilies too? I have the worst time with people linking to them on other boards.

This looks like a great hack. I am having a major problem though. as soon as I add ANYTHING to the attachment.php script, I get broken links! I tryed lust adding this line;

echo "test";

but as soon as I do, I get broken links instead of the attachments.

I AM CONFUSED! Can someone help me pull my head out of my a**?

ugh

This hack won't work for smilies. They are simply little gif files. You would have to use the .htaccess method for those.

Adding
echo "test";
will break the mime type. It needs to be an image.

Follow the instructions, which will replace the image with the "broken" image, and end the script (and, it supplies the correct data for the type).

pardon my ignorance for not even looking at the code before i posted this, but does this work with the "attachments as files" hack?

I don't know what that hack does, exactly, but given the name (... as files), it seems that it may not. Perhaps someone who knows more about that hack will comment?

this description should help. click here (http://www.vbulletin.org/hacks/index.php?action=showhack&hackid=181)

OK... im doing sumfing wrong, please help, i have ova 70 users linking one image, please help asap, costing me too much.

i added the code exactly,

and i am testing it at http://www.majorfm.com/testrapdis.htm

the image still shows, please explain?

I have attached my attachment.php for reference.

wen i view the page in MS Frontpage, it shows the correct image i want it replaced with, but wen uploaded, it shows the attachment! this really should be standard in VB, what a security alert and a half, this mistake cost me £155, 12 gb off excess bandwidth, so what can i do? doesnt seem to work.

Check the attachment, for what i see in frontpage.

I see a small red "X" You may be seeing a cached image in your browser. Try "Refresh."

ok this is working for me..
I can't see attachment images on other websites...
BUT...

All mp3 files cannot be downloaded from my domain. For some reason when you click to download it downloads the .gif

Does anyone know?

thanks guru... u were right

If you're on a win32 server, use "rb" in place of just "r" in your call to fopen. I'm sure this will be irrelevant to 99% of everyone on the planet, but since my forum has both Linux and Windows servers, I made a version that works on both:

if (! strstr($checkurl, "domain")) {
// what server, Linux or Win32?
$svr = 'lin';
if (!file_exists("/etc/fstab")) { $svr = 'win';}

// Substitute our Logo
header("Content-Type: image/gif");
if ($svr == 'win') {
$readflag = 'rb'; // binary read flag for windows server
$imgfile = "c:\\pathto\\image.jpg";
}
else {
$readflag = 'r'; // standard read flag
$imgfile = "/pathto/image.jpg";
}
$image = fread(fopen($imgfile,$readflag),10000);
echo $image;
fclose($image);
exit;
}

Thanks for the addition. That's cool. I added a link to this post with a note in the original hack.

Originally posted by DR2000
A slight variation for those who are interested:

I have a forum set up so guests wouldn't be able to see the attachments, and attachments themselves are shown right in the thread (not with a link).

So the following change in code does the following:
- all guest see an specified image instead of an attachment.
- whoever tries to link to your attachment image from the different site will not be able to show it. the replacement image is going to show up instead of whatever is in attachment for all unregged people.

Find this in attachment.php:

$permissions=getpermissions($getforuminfo[forumid]);
if (!$permissions[canview] or !$permissions[cangetattachment]) {
show_nopermission();
}


and replace show_nopermissions(); with this:


header("Location: http://www.4adrive.com/img/attachment.jpg");
exit;


So here's how it should end up looking:

$permissions=getpermissions($getforuminfo[forumid]);
if (!$permissions[canview] or !$permissions[cangetattachment]) {
header("Location: http://www.4adrive.com/img/attachment.jpg");
exit;
}


Of course replace the url of the image to whatever you want displayed there.

I use the following image:
http://www.4adrive.com/img/attachment.jpg

How do I get this image to show up without a link?

Did anyone notice if you place this code in your avatar.php script, it'll prevent your avatars from being hotlinked too? Awesome!

O.....kay. I now have about 6 users saying they can't see the attachments or avatars absolutely anywhere. Even linked on the board. But it works fine for everyone else. I'm confused now.

Some of our users that use IE 6.0 have reported that problem. Are you running the latest vBulletin?

Originally posted by Guru
Some of our users that use IE 6.0 have reported that problem. Are you running the latest vBulletin?

Yep. vBulletin 2.2.8. And it seems to be an issue with AOL users mainly.

Seems to work perfect in 2.28! Great hack! Thanks!!

I run 2.28 and Cannot seem to get this to work with trilOByte's Welcome panel hack. the code works so i cannot hotlink the avatar, but in the welcome panel it also shows my logo instead of the users avatar. any help would be awsome! thanks

// Cross-link hack by Guru 2/24/2002
// Check that we aren't linked somewhere else
$url = parse_url($HTTP_REFERER);
$checkurl = strtolower($url["host"]);
if (false === strpos($checkurl, "wpgrevscene") ||
false === strpos($checkurl, "winnipegrevscene")) {
// Remove this code if you just want to break the image
// Substitute my Logo
header("Content-Type: image/gif");
$filename = "/home/wpgrevsc/www/images/wpgrev.gif";
$image = fread(fopen($filename,"r"),100000);
echo $image;
fclose($image);
// End Substitute my Logo

exit;
}

Will this also work if you place it somewhere for smilies?

Where the heck would it go?

I have no clue for the last two questions. Anyone?

Originally posted by SpeedStreet
Will this also work if you place it somewhere for smilies?

Where the heck would it go? An .htaccess file in the smilies directory would do the trick. Something along the lines of:RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://yourdomian.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://youripaddress.* [NC]
RewriteRule [^/]+.(gif|jpg)$ - [F]

After a brief amount of thought, of course smilies can't be protected by this code. They are individual files, served up by your host.

FWC,

That worked perfectly! Thanks for the help!

Does anyone know if there is a way to also protect an IIS server the same way, I don't use it for my vb server, but some of my web pages are hosted on Win2k.

Originally posted by SpeedStreet
FWC,

That worked perfectly! Thanks for the help!

Does anyone know if there is a way to also protect an IIS server the same way, I don't use it for my vb server, but some of my web pages are hosted on Win2k. You're welcome. :)

I can't help you with IIS, though. Don't know of the equivalent to mod_rewrite.

is there a way to put a link at the top and bottom of the attachment...

Image Found at Mysite.com

or Visit Mysite.com

as part of the attachment

http://www.ls6.com/forums/attachment.php?postid=157722

test (http://www.ls6.com/forums/attachment.php?postid=157722)

test
http://www.procreatica.com/forum/attachment.php?postid=88

Beautiful. :)

* Link14716 installs. :)

http://www.vggmn.com/forums/attachment.php?s=&postid=148

Very cool, works great on 2.2.9 :banana:

Ack!!! Could this be due to Firewalls people have installed on their machines? :paranoid:


So far I have had 3 users that are getting the replacement image (the one that says you arent supposed to link outside the site) on the avatar areas and for anything that is attached

This is very strange, any ideas? Here's the entire code I am using:





// Cross-link hack by Guru 2/24/2002
// Check that we aren't linked somewhere else
$url = parse_url($HTTP_REFERER);
$checkurl = strtolower($url["host"]);
if (! strstr($checkurl, "belliesandbabies.com")) {

// Remove this code if you just want to break the image
// Substitute my Logo
header("Content-Type: image/gif");
$filename = "http://www.belliesandbabies.com/bandwidtherror.gif";
$image = fread(fopen($filename,"r"),100000);
echo $image;
fclose($image);
// End Substitute my Logo

exit;
}

test

http://www.talkhardonline.com/forum/attachment.php?postid=97785

sweet.

:)

Originally posted by ~*Julie*~
Ack!!! Could this be due to Firewalls people have installed on their machines? :paranoid:


So far I have had 3 users that are getting the replacement image (the one that says you arent supposed to link outside the site) on the avatar areas and for anything that is attached

This is very strange, any ideas? Here's the entire code I am using:
<snip>

As far as I can determine, this happens with IE 6.0 users only. And, it may be fixed in a service pack. I think it's because this version of IE doesn't submit the "REFERER" header correctly. Does anyone know the answer?

Originally posted by Guru


As far as I can determine, this happens with IE 6.0 users only. And, it may be fixed in a service pack. I think it's because this version of IE doesn't submit the "REFERER" header correctly. Does anyone know the answer?

We troubleshooted this and anyone on my site using the Norton Firewall had to disable the "Script Blocking" part of the firewall, now everything is working great : :)

test

http://www.houston-imports.com/forums/attachment.php?s=&postid=94489

I can't get this to work, can somebody give me the exact code if my website were http://www.TheForumz.com and my image was in http://www.TheForumz.com/images/bandwidth_stealer.gif

It doesn't work for me! I had to add more that one domain! With one domain there are no Problems! Can you help me??

cu

Jochen

Greets!

Does this hack work .rar, .zip and other binary attachments?

Thanks!

How do I add multiple domains?

I tried this

if ((false === strpos($checkurl, "firstdomain") ||
(false === strpos($checkurl, "seconddomain") ||
(false === strpos($checkurl, "thirddomain")) {

like was said in previous posts in this thread, but it didn't work. Can somebody help me with how I would add more domains to be allowed?

Many thanks!

You would want to check that ALL domain possibilities are false, so substitute "&&" for the "||" This will require ALL the domain checks to return false, which is what you want in this case.

03-29-03 at 11:23 AM laycomp said this in Post #92 (https://vborg.vbsupport.ru/showthread.php?postid=375084#post375084)
Greets!


Does this hack work .rar, .zip and other binary attachments?

Thanks!

There is no file-specific code, so it should work for anything you can attach.

It works for me, but it also blocks my own site members from viewing attachments.. Can someone help me.. I am taking out the code for another image, just breaking up the image with the exit line. Help.. But it does work, i checked the sites where my members link to and the image was a red ex. But it also blocks my own site.. thanksl.

On my site, some users have problems if their security settings block the "HTTP-REFERER" header that this hack depends on. Try lowering your own security settings to see if that fixes it.

It might be time to redesign or revise this hack to work better with newer browsers and vB?

05-14-03 at 10:35 AM Guru said this in Post #97 (https://vborg.vbsupport.ru/showthread.php?postid=395003#post395003)
On my site, some users have problems if their security settings block the "HTTP-REFERER" header that this hack depends on. Try lowering your own security settings to see if that fixes it.

It might be time to redesign or revise this hack to work better with newer browsers and vB?


Agreed. I tried the security settings and it made no diff.. :(

test

http://www.aktienboard.com/vb/attachment.php?postid=730662

test

This should work with vB 3.0. Put the same code in attachment.php.

Will this be available in vB3?

test

http://www.sephirothsfollowers.com/forums/attachment.php?postid=17627


I only seem to get error messages...
Vb2.3.5
Linux Servers
Ie 6.somethin...

Hi greate Hack!

is it possible to use this hack with https connection from a 2nd domain listed in the if condition? I don't know if https sends a usefull Referer...

Regards

Does this work for vB 3.5.x?

works fine with 3.6.1