<?php
// There should be no white space before the opening script tag
// Antispoof - Simon Booth (simon.booth@ukonline.co.uk) - 2002
// Antispoof - a little class and decendants to
// detect and/or prevent people hi-jacking and
// misusing parts of a website.
//
// Should be nice and easy to add further
// functionality to. The most common things that
// mean someone is spoofing you are set up below
//
// Example real-world use. Chuck one an antispoof_post
// in front of a generalised mailing script
// to stop 'web-marketeers' spamming the world
// using your web server as a unknowing relay.
// Example use...
// include("antispoof.php");
// $spoofer = new antispoof_self();
//
// You may optionally use the form...
//
// $spoofer = new antispoof_self(true);
//
// in which case you'll get some idea of what
// caused the supposed spoof (useful for debugging)
//
// Actual classes you'd instantiate are
// antispoof_get, antispoof_post and antispoof_self
// antispoof()
//
// Base class
//
// This does very little apart from
// setting up a load of variables for
// use by derived classes
//
// You will almost certainly want to modify
// the spoofed() method of this class!
class antispoof
{
var $host; // Our webserver - www.somewhere.com
var $referer; // The refering page
var $method; // GET or POST
var $protocol; // HTTP/1.1 for example
var $port; // 80 in most cases, 443 for SSL
var $request_uri; // The URI without the host
var $secure; // Are we using HTTPS ?
var $getcount; // How many GET variables were passes
var $postcount; // How many POST variables were passes
var $internal_referal; // Did we come from our own website ?
var $self_referal; // Did we come from the same page ?
var $showerrors; // Show errors when spoofed() - true/false
// Main constructor - initialises everything
// Optional $showerrors parameter controls
// whether spoofed() member displays anything
// or just bombs the script out
// Something broke the rules - stop the script!
// Optionally show the message in $msg depending on
// whether our constructor was passed true or false
function spoofed($msg)
{
if($this->showerrors === true)
{
echo "Attempt to spoof the script<br>\n";
echo "Message: $msg<br>\n";
}
exit();
}
// Debug - Dump out all the data we've got
function showme()
{
echo "<pre>\n";
print_r($this);
echo "</pre>\n";
}
}
// antispoof_get()
//
// This version must have been called from
// another page on our website using GET
//
// This antispoof decendant checks that...
//
// We are called from somewhere on our own site
// Method is GET
// There are no POST variables
class antispoof_get extends antispoof
{
function antispoof_get($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_get");
// Check method was GET
if($this->method !== "GET")
parent::spoofed("POST method used in an antispoof_get");
// POST variables count should be zero
if($this->postcount !== 0)
parent::spoofed("POST variables in an antispoof_get");
}
}
// antispoof_post()
//
// This version must have been called from
// another page on our website using POST
//
// This antispoof decendant checks that...
//
// We are called from somewhere on our own site
// Method is POST
// There are no GET variables
class antispoof_post extends antispoof
{
function antispoof_post($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_post");
// Check method was GET
if($this->method !== "POST")
parent::spoofed("GET method used in an antispoof_post");
// GET variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_post");
}
}
// antispoof_self()
//
// This version must have been called from
// another page on our website using GET
// or be self-calling using POST
//
// This kind of thing is a common way to
// handle forms on a site. You call the
// page with the form from a menu and when
// the form is submitted the target is the
// same page but some logic kicks in that
// validates stuff and writes to a database
// or whatever
//
// This antispoof decendant checks that...
//
// If the method is GET
// We are called from somewhere on our own site
// There are no POST variables
//
// If the method is POST
// We are self-calling (referer == this page)
// There are no GET variables
class antispoof_self extends antispoof
{
function antispoof_self($showerrors = false)
{
// Initialise everything
parent::antispoof($showerrors);
if($this->method === "GET")
{
// Must be called from our own site
if($this->internal_referal !== true)
parent::spoofed("External referer detected in an antispoof_self");
// GET variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_self");
// POST variables count should be zero
if($this->postcount !== 0)
parent::spoofed("POST variables in an antispoof_self when referer not self");
}
else if($this->method === "POST")
{
// Must be called from our own site
if($this->self_referal !== true)
parent::spoofed("Referer for an antispoof_self in POST mode was not self");
// POST variables count should be zero
if($this->getcount !== 0)
parent::spoofed("GET variables in an antispoof_self");
}
else
{
// Shouldn't get here - method was not GET or POST
parent::spoofed("antispoof_self method was not GET or POST");
}
}
}
// There should be no white space after the closing script tag
?>
