> -----Original Message-----
> From: Per Jessen [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 22, 2007 8:08 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] getenv ... i think
>
> Steven Macintyre wrote:
>
> > If i take OUT the getenv if then, it works ... so i know that is
> where
> > the problem is.
>
> I didnt bother with reading all your code, but maybe you should use
> $_SERVER['REMOTE_HOST'] instead of the getenv() call ?
>
>
> /Per Jessen, Zürich
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
Maybe this is what you want... take a look (in a syntax highlighting PHP
editor):
<?php
$hash = $_GET['hash'];
require_once('db.class.php');
$db = new db_class;
$db->connect();
/*
You should have an escape method in the db class, otherwise take a look
at mysql_real_escape_string - for MySQL
Also, beware of magic quotes if they are enabled they can mess things
up (not in this case,
but as a general hint).
I usually put things like these in an .htaccess file.
Here's a sample, for a site under construction:
php_flag short_open_tag on
php_flag register_globals off
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag magic_quotes_sybase off
# Switch to off in production stage
php_flag display_errors on
php_value error_reporting 2039
# This setting depends on you requirements
php_value max_execution_time 300
*/
$safeHash = $db->escape($hash);
/*
If your db class doesn't have an escape method you can do
$safeHash = mysql_real_escape_string($hash);
*/
$r = $db->select("SELECT duration, label, website FROM hhcu_codonations where
hash = '$safeHash' AND valid = '1'");
while ($row=$db->get_row($r)) {
// found record - lets see if we can display the image and which image
extract ($row);
$now = time();
if ($duration >= $now) {
/*
The call on this is as follows;
<img
src="http://mydev.co.za/myscript.php?hash=ARBHASHCODE"; border='0'>
*/
$referer = $_SERVER['HTTP_REFERER'];
$params = parse_url($referer);
// Beware of gotchas if the referer has no "www" in the host
param
// We'll add "www." to the host if it's not there
$host = (substr($params['host'], 0, 4) == 'www.') ?
$params['host'] : 'www.'.$params['host'];
// Now $host holds something like "www.subscribersite.com"
$refererWebsite = $params['scheme'].'://'.$host.'/';
/*
So now, the referer is the expected referer or not
You don't need to use MD5 here, you've already checked
the hash
when you queried the DB. You now need to check that the
referer is right for the supplied hash
I'm assuming here you are only hashing the website's
url. You would only need to check the hash
against the request headers if you use a more complex
hashing strategy like the following
define('HASH_SALT', 'a secret string');
$websiteUrl = 'http://www.subscribersite.com/';
$websiteIP = '60.50.40.30';
$hashToStoreInDB =
md5($websiteUrl.$websiteIP.HASH_SALT);
But if you use such a method, you wouldn't need to
check the referer either, you'd build a tentative
hash out of the $_SERVER parameters (HTTP_REFERER,
REMOTE_ADDR) and the HASH_SALT constant,
match that tentative hash against the supplied hash
($_GET['hash']), and then look up that hash
in the database if both hashes match... that would be
all
*/
if ($refererWebsite == $website) {
switch ($label) {
// ... code to follow
}
}
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
