VERY quick avatar/attachment protector

This has probably been written before (I haven't checked), but I am beginning to get annoyed with people linking to my attachments/users avatars. It's quick, it's dirty, and it works. Installation time: 15 seconds per file. Number of files to edit: 2.

PHP Code:

$referers = array ('www.yourforums.com','yourforums.com','aaa.bbb.ccc.ddd'); 

function check_referer($referers){ 
   if (count($referers)){ 
      $found = false; 
      $temp = explode('/',getenv("HTTP_REFERER")); 
      $referer = $temp[2]; 
      for ($x=0; $x < count($referers); $x++){ 
         if (ereg ($referers[$x], $referer)) { 
            $found = true; 
         } 
      } 
      if (!$found){ 
      exit;
      } 
         return $found; 
      } else { 
         return true;
   } 
} 

check_referer($referers); 


Edit the $referers array with your details (DOMAINS and IP Addresses ONLY. Do NOT include path information or 'http://').

Place at the top of avatar.php and attachment.php just after:

PHP Code:

<?php

Hope this is of help to some people.

[Boofo]

CJi, I forgot to ask in my last message...you can add more addresses to that, right, if you want some site to be able to link to it? But what would happen, if you did that, if someone linked to the extra site that you allowed in there? Is there any way to stop them from linking to that other site and bypassing it? I have a main site that I use for commercial purposes and I would maybe like to be able to links things to there. But if someone linked to my main site, this wouldn't do me any good, would it?

[Velocd]

A quick check, would this be ok (for the DOMAIN parts):

PHP Code:

$referers = array ('www.mysite.com/forums','mysite.com/forums','aaa.bbb.ccc.ddd'); 


[Brainmaster]

Quote:

PHP Code:

$referers = array ('www.yourforums.com','yourforums.com','aaa.bbb.ccc.ddd'); 

function check_referer($referers){ 
   if (count($referers)){ 
      $found = false; 
      $temp = explode('/',getenv("HTTP_REFERER")); 
      $referer = $temp[2]; 
      for ($x=0; $x < count($referers); $x++){ 
         if (ereg ($referers[$x], $referer)) { 
            $found = true; 
         } 
      } 
      if (!$found){ 
      exit;
      } 
         return $found; 
      } else { 
         return true;
   } 
} 

check_referer($referers); 


In what kind of file must I add this code?

[Velocd]

From post#1:

Quote:

Originally posted by CJi

Place at the top of avatar.php and attachment.php just after:

PHP Code:

<?php

[JJR512]

Question: The instructions say to place right after <?php. There is a similar hack, but to prevent attachment stealing, here: https://vborg.vbsupport.ru/showthrea...threadid=35399 Now this hack says to place the code after require("./global.php");. Is there a difference between either placement? Should I change my installation of that hack to place the code right after <?php, instead of after require("./global.php");?

Actually, upon closer examination, it looks like this version and that version are pretty different. Which one is better?

[Boofo]

Is there any way to have this hack also display a picture or file to the user who is trying to crosslink to let them know that we know they are trying to do it (like in the hack that JJR512 mentioned)?

[Boofo]

Would there also be any way to make this work site-wide or forum specific? I want tp put up a couple of forums with pictures the wife has made in various programs (Bryce 5, PhotShop, etc.) and we want to keep others from linking to them.

[Velocd]

Lol, whenever you post Boofo it's usually in the form of doublepost, try using the edit button

More importantly though, I'm more interested in this request as well:

Quote:

Originally posted by JJR512

Actually, upon closer examination, it looks like this version and that version are pretty different. Which one is better?

Any thoughts about this CJi?

PS: And Boofo, in your post above there are options in the cpanel of your site to prevent image stealing or certain directory access, so it shouldn't have to do with vbulletin.

[Boofo]

First of all, how do you spell edit? If I can't spell it, how can I use it?

Quote:

Originally posted by Velocd
Lol, whenever you post Boofo it's usually in the form of doublepost, try using the edit button

More importantly though, I'm more interested in this request as well:



Any thoughts about this CJi?

But how would that prevent linking from other sites?

Quote:

PS: And Boofo, in your post above there are options in the cpanel of your site to prevent image stealing or certain directory access, so it shouldn't have to do with vbulletin.

[CJi]

Velocd: You can't put any path declarations in the array, only a domain or IP address. So you can't add say, www.forums.com/forums/, only www.forums.com.

Bofo: Yep, you can add more, just add more fields to the array seperated by a comma.

JJR512: I can't comment on the other hack, I'm at work at the minute so don't really have time to check over it at the moment, but I'm imagining that the other hack uses some database resources, whereas this one doesn't. By sticking the code right at the top of the script, it cuts out processing time and disk access, as there is no need to include global.php and parse it's contents. This script simply checks where the request comes from, if it isn't known, it bombs right out, if it is allowed, it then goes forth to process the rest of the script.

Hope that helps.