Home  >  Article  >  Backend Development  >  PHP fake referer Use referer to prevent image hotlinking

PHP fake referer Use referer to prevent image hotlinking

WBOY
WBOYOriginal
2016-07-25 08:54:361344browse
  1. # Only allow access from don.com, the image may be placed on the page of the don.com website
  2. setenvifnocase referer "^http://www.don.com/" local_ref
  3. # Access directly through the address
  4. setenvif referer "^$" local_ref
Copy the code

Then, stipulate that only marked access is allowed:

  1. order allow,deny
  2. allow from env=local_ref
  3. or
  4. order deny ,allow
  5. deny from all
  6. allow from env=local_ref
Copy code

Don’t use referrer places

Do not use referrer for authentication or other very important checks, because referrer is very easy to be changed on the client side, whether it is through the firefox extension introduced above, or privoxy, or even libcurl call, so the referrer data is very Not credible. If you want to restrict users from accessing a certain entrance page, instead of using referer, it is better to use session, write the session on the entrance page, and then check on other pages. If the user has not visited the entrance page, then the corresponding session does not exist. , see discussion here. But as mentioned above, don’t put too much faith in the “verification” results of this method. Personally, I feel that in addition to being used to prevent hotlinking, the most common use of referrers is access statistics, such as statistics on which links users access from, etc.

The http-referer variable has become increasingly unreliable and can be forged. Here's how to fake it: php (provided curl is installed):

  1. $ch = curl_init();
  2. curl_setopt ($ch, curlopt_url, "http://www.d.cn/xxx.asp");
  3. curl_setopt ($ch, curlopt_referer, "http:/ /www.d.cn/");
  4. curl_exec ($ch);
  5. curl_close ($ch);
Copy code

php (use sock without curl)

  1. $server = 'www.dc9.cn';
  2. $host = 'www.dc9.cn';
  3. $target = '/xxx.asp';
  4. $referer = 'http://www .d.cn/'; // referer
  5. $port = 80;
  6. $fp = fsockopen($server, $port, $errno, $errstr, 30);
  7. if (!$fp)
  8. {
  9. echo "$ errstr ($errno)
    n";
  10. }
  11. else
  12. {
  13. $out = "get $target http/1.1rn";
  14. $out .= "host: $hostrn";
  15. $out . = "cookie: aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkegrn";
  16. $out .= "referer: $refererrn";
  17. $out .= "connection: closernrn";
  18. fwrite($fp, $out);
  19. while (!feof($fp ))
  20. {
  21. echo fgets($fp, 128);
  22. }
  23. fclose($fp);
  24. }
  25. javascript
  26. xmlhttp.setrequestheader("referer", "http://url");// Haha~ Fake ~
Copy code

js is not supported^_^

The principle is that sock constructs the http header to send data. Other languages ​​such as perl can also be used. Currently, the simplest way to defend against forged referers is to use a verification code (session). Nowadays, there are some commercial companies that can prevent hotlinking software, such as uudog, linkgate, virtualwall, etc., all of which are developed and applied to dll on iis. Some use cookie verification and thread control, and some can randomly generate file names and then perform url rewriting. Some methods can indeed achieve good results.



Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn