|
|
Posted by Toby Inkster on 01/19/07 10:15
Floortje wrote:
> <a href ="redir.php?url=http://example.com">example.com</a>
<a href="redir.php?sign=382519ab&url=http://example.com">example.com</a>
> redir.php
> <?php
> if (isset($_GET['url']))
> {
> $f = fopen('/path/to/file/file.txt', 'a');
> fwrite($f, $url.'->'.$_SERVER['REMOTE_ADDR']."\n");
> fclose($f);
> header("Location: $url");
> }
> else
> {
> echo "No url specified";
> }
> ?>
<?php
$password = 'secret';
if (isset($_GET['url']))
{
$url = stripslashes($_GET['url']);
$real_signature = substr(md5($password.$url), 0, 8);
$given_signature = stripslashes($_GET['sign']);
$f = fopen('/path/to/file/file.txt', 'a');
if ($real_signature == $given_signature)
fwrite($f, $url.'->'.$_SERVER['REMOTE_ADDR']."\n");
else
fwrite($f, $url.'->'.$_SERVER['REMOTE_ADDR']." [HACK ATTEMPT]\n");
fclose($f);
if ($real_signature == $given_signature)
header("Location: $url");
else
echo "Potential hack";
}
else
{
echo "No url specified";
}
?>
Magic. Change $password to something very secret, but don't do something
silly like change it every week. It should remain the same secret password
forever.
Now, when you want to link to something, use the following URL:
redir.php?sign=ABCDEF09&url=http://example.org
Where the correct signature (ABCDEF09) can be discovered by you by running
the following command on a Linux/UNIX box:
echo 'secrethttp://example.org' | md5sum
and then taking the first eight characters of the output. Nobody else is
able to generate valid signatures, as nobody else knows the password.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
[Back to original message]
|