Stop Users from Cross-linking Attachments

I've hacked my attachment.php script to prevent users from posting an attachment on my board, and then using the HTML to display it somewhere else. This prevents people from posting a pic on your board, then using your bandwidth to place that pic elsewhere. It is a tiny code change.

I've substituted my own logo, (LOL), but you can replace that with anything, or just use the "exit;" line to eliminate the pic entirely.

In attachment.php, right after:

PHP Code:

require("./global.php"); 


Add the following code:

PHP Code:

// Cross-link hack by Guru 2/24/2002
// Check that we aren't linked somewhere else
$url = parse_url($_SERVER['HTTP_REFERER']); 
$checkurl = strtolower($url["host"]); 
if (! strstr($checkurl, "yourdomain")) {

    // Remove this code if you just want to break the image
    // Substitute my Logo
    header("Content-Type: image/gif"); 
    $filename = "/usr/public_html/grafix/logo.gif";
    $image = fread(fopen($filename,"r"),100000); 
    echo $image; 
    fclose($image);
    // End Substitute my Logo

    exit; 
} 


Change yourdomain to your actual domain name, and the logo URL to what you want to replace the cross-linked image with.

NOTE: Changed to use the full path in "$filename = ..." to get this to work on some servers.

ANOTHER: See this post in this thread for a modification that works on Win32 servers: https://vborg.vbsupport.ru/showthrea...895#post297895

AGAIN: If you modify avatar.php similarly, you can prevent people from cross-linking your avatars: https://vborg.vbsupport.ru/showthrea...893#post303893

UPDATE: The parse_url line is slightly different to use the new PHP syntax.

[Spike05]

It doesn't work for me! I had to add more that one domain! With one domain there are no Problems! Can you help me??

cu

Jochen

[laycomp]

Greets!

Does this hack work .rar, .zip and other binary attachments?

Thanks!

[Gutspiller]

How do I add multiple domains?

I tried this

if ((false === strpos($checkurl, "firstdomain") ||
(false === strpos($checkurl, "seconddomain") ||
(false === strpos($checkurl, "thirddomain")) {

like was said in previous posts in this thread, but it didn't work. Can somebody help me with how I would add more domains to be allowed?

Many thanks!

[Guru]

You would want to check that ALL domain possibilities are false, so substitute "&&" for the "||" This will require ALL the domain checks to return false, which is what you want in this case.

[Guru]

Quote:

03-29-03 at 11:23 AM laycomp said this in Post #92
Greets!


Does this hack work .rar, .zip and other binary attachments?

Thanks!

There is no file-specific code, so it should work for anything you can attach.

[DeeperImage]

It works for me, but it also blocks my own site members from viewing attachments.. Can someone help me.. I am taking out the code for another image, just breaking up the image with the exit line. Help.. But it does work, i checked the sites where my members link to and the image was a red ex. But it also blocks my own site.. thanksl.

[Guru]

On my site, some users have problems if their security settings block the "HTTP-REFERER" header that this hack depends on. Try lowering your own security settings to see if that fixes it.

It might be time to redesign or revise this hack to work better with newer browsers and vB?

[DeeperImage]

Quote:

05-14-03 at 10:35 AM Guru said this in Post #97
On my site, some users have problems if their security settings block the "HTTP-REFERER" header that this hack depends on. Try lowering your own security settings to see if that fixes it.

It might be time to redesign or revise this hack to work better with newer browsers and vB?

Agreed. I tried the security settings and it made no diff..

[Dioxin]

test



test

[Merlin_]

This should work with vB 3.0. Put the same code in attachment.php.