On Tue, 2008-01-29 at 11:12 -0500, Jason Pruim wrote:
> On Jan 29, 2008, at 10:58 AM, Robert Cummings wrote:
>
> >
> > On Tue, 2008-01-29 at 10:21 -0500, Mike Potter wrote:
> >> There is JavaScript out there, to make a page break out of frames if
> >> someone else has your page in a frame of theirs.
> >> Is it possible to do this with PHP or is that the wrong side of
> >> Server/Client-side operations?
> >
> > PHP can echo the JavaScript that facilitates the break out.
> >
> >>
> >> Related, when target files are PDF's, images, or other than
> >> .php/.htm(l), does PHP provide any remedies against that
> >> sort of remote site linking?
> >
> > The only remedy agaonst remote linking is to embed some kind of
> > expiration in the link that accesses the document. I usually do this
> > by
> > using a combination of the document ID, a timestamp, and salt, and md5
> > or sha1. For instance the following:
> >
> > <?php
> >
> > $id = 'THE DOCUMENT ID :)';
> > $now = time();
> > $salt = 'Some site specific salt.';
> >
> > $accessId = $id.':'.$now.':'.sha1( $id.':'.$now.':'.$salt );
> >
> > echo '<a href="/docs/myDocument.php?id='.urlencode( $accessId ).'">'
> > .'The Document'
> > .'</a>';
> >
> > ?>
> >
> > Then when someone actually requests the page we do the following:
> >
> > <?php
> >
> > $salt = 'Some site specific salt.';
> > $lifespan = 2 * 24 * 60 * 60; // 2 days
> >
> > if( !($accessId = isset( $_GET['id'] ) ? $_GET['id'] : false) )
> > {
> > die( 'No document requested.' );
> > }
> >
> > list( $id, $timestamp, $code ) = explode( ':', $accessId );
> >
> > if( $code !== sha1( $id.':'.$timestamp.':'.$salt ) )
> > {
> > die( 'Invalid document request.' );
> > }
> >
> > if( (time() - $lifespan) > $timestamp )
> > {
> > die( 'Document has expired.' );
> > }
> >
> > // Otherwise flush document to browser.
> >
> > ?>
> >
> > Now this doesn't stop anyone from saving the document locally but it
> > does prevent linking to your site and wasting your resources. The
> > key to
> > the method is that only you know the $salt and so only you can create
> > the encoding that validates the passed ID and timestamp. You can also
> > add more attributes to the encoding such as a user ID. Then you could
> > ensure the user is logged in, and that the access ID must match their
> > logged in ID.
> >
> > Cheers,
> > Rob.
>
>
> I'm probably about to show my ignorance here... But by showing it
> hopefully, I can learn from it! Wouldn't it be just as effective to
> have a salt that gets passed to the script and do something like:
>
> if($salt ="Correct salt"){
> //display correct picture
> }else{
> //display some random picture of a guy flipping you the bird and echo
> out Don't steal my pictures
> }
>
> Now that I type that out, I see that it will still use bandwidth which
> if you are on a measured plan I could see being a problem.
>
> So I think I just convinced my self that yours is better... Any thing
> really wrong with my idea though?
You can't pass the salt, the salt is like a password. If the end user
knows it they could arbitrarily change the document ID or timestamp in
which case access is no longer under your control. This is why we create
a sha1 encoding based on the document ID, the timestamp, and the salt.
If any of the parameters changes we don't get the access code and so we
know that tampering has occurred with the request parameters.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
