VERY quick avatar/attachment protector
 

This has probably been written before (I haven't checked), but I am beginning to get annoyed with people linking to my attachments/users avatars. It's quick, it's dirty, and it works. Installation time: 15 seconds per file. Number of files to edit: 2.

Edit the $referers array with your details (DOMAINS and IP Addresses ONLY. Do NOT include path information or 'http://').

Place at the top of avatar.php and attachment.php just after:

Hope this is of help to some people. :)

I don't mean to sound ignorant, but exactly what does this do? :)

It makes it so you can't link attachment URLs to different places.

I guess I'm still not sure what it does. Sorry.

What will happen if someone DOES try to link to something then?

And what would you put in this line?

My site URL is http://www.bearfacts2.com/forum/

Is that what I would put here? :)

I'm guessing you read my thread that I posted yesterday of how I had this problem.

What he means to say Boofo is that its suppose to prevent hotlinking of your forums attachments or avatars from another site. If you hotlink an image attachment, every viewer who see's that attachment on that "other" site will come up on your forums as a guest, a very strange bug but I've had it happen to me.

I'll try this out later and see how it works ;)

Yup, anyone who tries to link to an image on your site (be it an avatar or an attachment) will just get a broken image/blank screen. It prevents bandwidth leeching/database slowness. Only sites listed in the $referer array will get the actual image/attachment/avatar requested.

He stated plainly and clearly NOT to put the "http://" prefix.
Just put www.bearfacts2.com


I have a question about that line, this one here:
Is it needed to state your domain twice as it shows above, just one is missing the www?

You would put:

Probably not with a bit more jiggery in the php, but like I said this was just a quicky. If you site is categorically only accessible via www., then it is not necessary to use the second entry without the www., and probably likewise for the IP address. I only did it that way for completeness.

Ok, I see now. The 3 address are just in case someone tries to get around any one of the addresses to link to the files. It makes sense now. :) Thank you for the code, CJi. :)

Velocd, did it fix your problem? I haven't run into that yet, but it is always better to be prepared, I guess. :)

CJi, I forgot to ask in my last message...you can add more addresses to that, right, if you want some site to be able to link to it? But what would happen, if you did that, if someone linked to the extra site that you allowed in there? Is there any way to stop them from linking to that other site and bypassing it? I have a main site that I use for commercial purposes and I would maybe like to be able to links things to there. But if someone linked to my main site, this wouldn't do me any good, would it?

A quick check, would this be ok (for the DOMAIN parts):

In what kind of file must I add this code?

From post#1:

Question: The instructions say to place right after <?php. There is a similar hack, but to prevent attachment stealing, here: https://vborg.vbsupport.ru/showthrea...threadid=35399 Now this hack says to place the code after require("./global.php");. Is there a difference between either placement? Should I change my installation of that hack to place the code right after <?php, instead of after require("./global.php");?

Actually, upon closer examination, it looks like this version and that version are pretty different. Which one is better? ;)

Is there any way to have this hack also display a picture or file to the user who is trying to crosslink to let them know that we know they are trying to do it (like in the hack that JJR512 mentioned)?

Would there also be any way to make this work site-wide or forum specific? I want tp put up a couple of forums with pictures the wife has made in various programs (Bryce 5, PhotShop, etc.) and we want to keep others from linking to them.

Lol, whenever you post Boofo it's usually in the form of doublepost, try using the edit button :)

More importantly though, I'm more interested in this request as well:

Any thoughts about this CJi?

PS: And Boofo, in your post above there are options in the cpanel of your site to prevent image stealing or certain directory access, so it shouldn't have to do with vbulletin.

First of all, how do you spell edit? If I can't spell it, how can I use it? :)



But how would that prevent linking from other sites? :)

Quote:

PS: And Boofo, in your post above there are options in the cpanel of your site to prevent image stealing or certain directory access, so it shouldn't have to do with vbulletin.

Velocd: You can't put any path declarations in the array, only a domain or IP address. So you can't add say, www.forums.com/forums/, only www.forums.com.

Bofo: Yep, you can add more, just add more fields to the array seperated by a comma.

JJR512: I can't comment on the other hack, I'm at work at the minute so don't really have time to check over it at the moment, but I'm imagining that the other hack uses some database resources, whereas this one doesn't. By sticking the code right at the top of the script, it cuts out processing time and disk access, as there is no need to include global.php and parse it's contents. This script simply checks where the request comes from, if it isn't known, it bombs right out, if it is allowed, it then goes forth to process the rest of the script. :)

Hope that helps.

Other requests I'll deal with later :) Got to get back to work now.

Well, one request I have:

in case somebody is hotlinking, could this script be made so that a default image is served instead of the one they want?

I like the idea of advertising my site for free ;)

You'd be better off doing that with htaccess files, but the script could be changed to do this I suppose, although that wasn't it's intended purpose. I apologise for being busy, I'll attempt to get everything sorted out at the weekend.

Perhaps I am missing the point of this hack, but should the image below be blank? My server is hosting that image, yet it is still displaying that image. If I am using the wrong hack for what I want to do, can someone please re-direct me?
Thanks!

http://www.finheaven.com/boardvb2/im...s/bear1-sm.gif

Thats because...

That image isnt stored in Avatar.php

Satan

This is gonna sound really stupid, and probably makes no sense.... but how do you store it in Avatar.php?

The only reason why I'm asking is because a lot of people are using my avatars for avatars on other message boards... and this isn't just one or two peopel... its more than 10...

Thanks for your help...

By stored, i mean...

You havent linked that image from your avatar in your posts...

https://vborg.vbsupport.ru/avatar.ph...ine=1023286012

A link to my avatar at vB.org...

http://www.darkblazes.com/forums/ava...ine=1027536317

A link to my avatar at DarkBlazes.com (my forums)...

It get stored when you upload it as your avatar...Just like an attachment link from DarkBlazes.com wont work here...

You have to have actually requested that image/attachment from your board, not your server...

Satan

I installed this hack, but users are complaining saying they can't see the images even when they're on the forum. And I've put these in the referrers array:

www.ppgworld.com , ppgworld.com , 206.126.4.17

The forums are located on forums.ppgworld.com

Then you'll need to add forums.ppgworld.com too as your blocking that domain.

Did. Still caused problems with users. Had to uninstall it. :(

easy answer tell em to allow your site though their firewall not sure how it works but thats all i did and it works.

Before nobodys avator showed up so allowed pass on firewall and they all show now.

I like the array set up of this one over how the other hot link prevention hack functions, but this hack just doesn't work for me, even with no firewall. No matter what, I get the echoed text I added so I could see what was going on.

You moved this line up a few lines from the original code, that is probably why you can get it to work.

I can't get this hack to work over multiple domains. I tested it using one and it worked for me, so I now know it's working, but when I add a second domain like this:

It still doesn't work from 3dNewz.com. I didn't add the ip of 3dnewz.com because 3dnewz.com just redirects to TheForumz.com

Can somebody help me on how to get this to work with multiple domains? I have about 5 I need to add to this hack. Please help.

CJi,

Thank you for this hack. It worked perfect firt time!

Thanks!

Very much help indeed, THANK YOU CJi!! :knockedout:

I am having some problems.

I am using vb 2.3, I cannot get link protection for either avatar or attachment.

The avatars appear in my forum as typical "miising image" icons, I have worked with many perl/php scripts and well aware on entering referers for protection, I however, cannot get this too work. As far as attachments, when someone clicks, from the forum, an attachment link, he goes into a blank page.

I have tried my domain, my IP...you name it.

I do have a router.

Any suggestions please?

Regards,

LC

To be honest, for ultimate protection it's best to use htaccess. What you need to bear in mind is users can choose to withold, or even warp referrers, so hacks like this will never work. It's annoying, but 'one of those things'

There is a very simple way, you can do it with .htaccess, even diplay an image of your choice on a website that is linking your image.

Can protect whole domain or just 1 folder.

Anyways, nicely done :)

How would you do that?