> -----Original Message----- > From: Per Jessen [mailto:per@xxxxxxxxxxxx] > Sent: Thursday, November 22, 2007 8:08 AM > To: php-general@xxxxxxxxxxxxx > Subject: Re: getenv ... i think > > Steven Macintyre wrote: > > > If i take OUT the getenv if then, it works ... so i know that is > where > > the problem is. > > I didnt bother with reading all your code, but maybe you should use > $_SERVER['REMOTE_HOST'] instead of the getenv() call ? > > > /Per Jessen, Zürich > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php Maybe this is what you want... take a look (in a syntax highlighting PHP editor): <?php $hash = $_GET['hash']; require_once('db.class.php'); $db = new db_class; $db->connect(); /* You should have an escape method in the db class, otherwise take a look at mysql_real_escape_string - for MySQL Also, beware of magic quotes if they are enabled they can mess things up (not in this case, but as a general hint). I usually put things like these in an .htaccess file. Here's a sample, for a site under construction: php_flag short_open_tag on php_flag register_globals off php_flag magic_quotes_gpc off php_flag magic_quotes_runtime off php_flag magic_quotes_sybase off # Switch to off in production stage php_flag display_errors on php_value error_reporting 2039 # This setting depends on you requirements php_value max_execution_time 300 */ $safeHash = $db->escape($hash); /* If your db class doesn't have an escape method you can do $safeHash = mysql_real_escape_string($hash); */ $r = $db->select("SELECT duration, label, website FROM hhcu_codonations where hash = '$safeHash' AND valid = '1'"); while ($row=$db->get_row($r)) { // found record - lets see if we can display the image and which image extract ($row); $now = time(); if ($duration >= $now) { /* The call on this is as follows; <img src="http://mydev.co.za/myscript.php?hash=ARBHASHCODE"; border='0'> */ $referer = $_SERVER['HTTP_REFERER']; $params = parse_url($referer); // Beware of gotchas if the referer has no "www" in the host param // We'll add "www." to the host if it's not there $host = (substr($params['host'], 0, 4) == 'www.') ? $params['host'] : 'www.'.$params['host']; // Now $host holds something like "www.subscribersite.com" $refererWebsite = $params['scheme'].'://'.$host.'/'; /* So now, the referer is the expected referer or not You don't need to use MD5 here, you've already checked the hash when you queried the DB. You now need to check that the referer is right for the supplied hash I'm assuming here you are only hashing the website's url. You would only need to check the hash against the request headers if you use a more complex hashing strategy like the following define('HASH_SALT', 'a secret string'); $websiteUrl = 'http://www.subscribersite.com/'; $websiteIP = '60.50.40.30'; $hashToStoreInDB = md5($websiteUrl.$websiteIP.HASH_SALT); But if you use such a method, you wouldn't need to check the referer either, you'd build a tentative hash out of the $_SERVER parameters (HTTP_REFERER, REMOTE_ADDR) and the HASH_SALT constant, match that tentative hash against the supplied hash ($_GET['hash']), and then look up that hash in the database if both hashes match... that would be all */ if ($refererWebsite == $website) { switch ($label) { // ... code to follow } } } } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
