|
|
|
|
|
|
| |
| <?php
// There should be no white space before the opening script tag
// Antispoof - Simon Booth (simon.booth@ukonline.co.uk) - 2002
// Antispoof - a little class and decendants to
// detect and/or prevent people hi-jacking and
// misusing parts of a website.
//
// Should be nice and easy to add further
// functionality to. The most common things that
// mean someone is spoofing you are set up below
//
// Example real-world use. Chuck one an antispoof_post
// in front of a generalised mailing script
// to stop 'web-marketeers' spamming the world
// using your web server as a unknowing relay.
// Example use...
// include("antispoof.php");
// $spoofer = new antispoof_self();
//
// You may optionally use the form...
//
// $spoofer = new antispoof_self(true);
//
// in which case you'll get some idea of what
// caused the supposed spoof (useful for debugging)
//
// Actual classes you'd instantiate are
// antispoof_get, antispoof_post and antispoof_self
// antispoof()
//
// Base class
//
// This does very little apart from
// setting up a load of variables for
// use by derived classes
//
// You will almost certainly want to modify
// the spoofed() method of this class!
class antispoof
{
var $host; // Our webserver - www.somewhere.com
var $referer; // The refering page
var $method; // GET or POST
var $protocol; // HTTP/1.1 for example
var $port; // 80 in most cases, 443 for SSL
var $request_uri; // The URI without the host
var $secure; // Are we using HTTPS ?
var $getcount; // How many GET variables were passes
var $postcount; // How many POST variables were passes
var $internal_referal; // Did we come from our own website ?
var $self_referal; // Did we come from the same page ?
var $showerrors; // Show errors when spoofed() - true/false
// Main constructor - initialises everything
// Optional $showerrors parameter controls
// whether spoofed() member displays anything
// or just bombs the script out
function antispoof($showerrors = false)
{
$referer_uri_parts = parse_url($GLOBALS["HTTP_REFERER"]);
$script_uri_parts = parse_url($GLOBALS["REQUEST_URI"]);
$this->host = $GLOBALS["HTTP_HOST"];
$this->referer = $GLOBALS["HTTP_REFERER"];
$this->method = $GLOBALS["REQUEST_METHOD"];
$this->protocol = $GLOBALS["SERVER_PROTOCOL"];
$this->port = $GLOBALS["SERVER_PORT"];
$this->request_uri = $GLOBALS["REQUEST_URI"];
$this->secure = ($GLOBALS["HTTPS"] == "on");
$this->getcount = count($GLOBALS["HTTP_GET_VARS"]);
$this->postcount = count($GLOBALS["HTTP_POST_VARS"]);
$this->internal_referal = ($referer_uri_parts["host"] === $GLOBALS["HTTP_HOST"]);
$this->self_referal = ($referer_uri_parts["host"] === $GLOBALS["HTTP_HOST"]) &&
($referer_uri_parts["path"] === $script_uri_parts["path"]);
$this->showerrors = $showerrors;
}
// Something broke the rules - stop the script!
// Optionally show the message in $msg depending on
// whether our constructor was passed true or false
function spoofed($msg)
{
if($this->showerrors === true)
{
echo "Attempt to spoof the script<br>\n";
echo "Message: $msg<br>\n";
}
exit();
}
// Debug - Dump out all the data we've got
function showme()
{
echo "<pre>\n";
print_r($this);
echo "</pre>\n";
}
}
// antispoof_get()
//
// This version must have been called from
// another page on our website using GET
//
// This antispoof decendant checks that...
//
// We are called from somewhere on our own site
// Method is GET
// There are no POST variables
class antispoof_get extends antispoof
{
function antispoof_get($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_get");
// Check method was GET
if($this->method !== "GET")
parent::spoofed("POST method used in an antispoof_get");
// POST variables count should be zero
if($this->postcount !== 0)
parent::spoofed("POST variables in an antispoof_get");
}
}
// antispoof_post()
//
// This version must have been called from
// another page on our website using POST
//
// This antispoof decendant checks that...
//
// We are called from somewhere on our own site
// Method is POST
// There are no GET variables
class antispoof_post extends antispoof
{
function antispoof_post($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_post");
// Check method was GET
if($this->method !== "POST")
parent::spoofed("GET method used in an antispoof_post");
// GET variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_post");
}
}
// antispoof_self()
//
// This version must have been called from
// another page on our website using GET
// or be self-calling using POST
//
// This kind of thing is a common way to
// handle forms on a site. You call the
// page with the form from a menu and when
// the form is submitted the target is the
// same page but some logic kicks in that
// validates stuff and writes to a database
// or whatever
//
// This antispoof decendant checks that...
//
// If the method is GET
// We are called from somewhere on our own site
// There are no POST variables
//
// If the method is POST
// We are self-calling (referer == this page)
// There are no GET variables
class antispoof_self extends antispoof
{
function antispoof_self($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
if($this->method === "GET")
{
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_self");
// GET variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_self");
// POST variables count should be zero
if($this->postcount !== 0)
parent::spoofed("POST variables in an antispoof_self when referer not self");
}
else if($this->method === "POST")
{
// Must be called from our own site
if($this->self_referal !== true)
parent::spoofed("Referer for an antispoof_self in POST mode was not self");
// POST variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_self");
}
else
{
// Shouldn't get here - method was not GET or POST
parent::spoofed("antispoof_self method was not GET or POST");
}
}
}
// There should be no white space after the closing script tag
?> | |
|
|
| A damaged image generator (class) for validating text.
CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart
Categories : PHP, PHP Classes, Security, GD image library, Security | | | PHP5 Security System
Categories : PHP, PHP Classes, Security | | | Scramble Eggs - php class to scramble/encode
Categories : PHP, PHP Classes, Security, Encryption | | | Generating and Matching Secure and Strong Password Hash
Categories : PHP, PHP Classes, Cryptography, Security | | | Password Creator: This PHP code exmaple shows how to use bitwise operations on a single variable and using it as a flagged variable. The class generates passwords of a given length using specified characters and the flags.
Categories : PHP, PHP Classes, Algorithms, Security | | | Scan Apache access log files and report possible worms attack
Categories : PHP, PHP Classes, Security, Apache, Log Files | | | Use of bitmasks to represent permissions
Categories : PHP, Authentication, Bitwise Operators, Security, PHP Classes | | | very simple ftp class
Categories : PHP, PHP Classes, FTP | | | PHP Paypal IPN Integration Class v1.0.0
Categories : PHP, PHP Classes, Payment Gateways | | | A Timing Class
Categories : PHP, PHP Classes, Date Time | | | The class to check load time of your script
VERY usefull for relatively slow applications, but not only..
Categories : PHP, PHP Classes, Debugging | | | A very simple PHP single password cookie based login without usernames.
Categories : PHP, Cookies, Security, Beginner Guides | | | Create HTML forms dynamicly using Javascript & PHP
Categories : PHP, PHP Classes, Java Script | | | Simple Template Class/Example
Categories : PHP, Templates, PHP Classes | | | usercounter class
Categories : PHP, PHP Classes, Databases, MySQL, Environment Variables | |
|
|
|
