Blocking remote calling of scripts

Forum Moderators: phranque

Message Too Old, No Replies

Blocking remote calling of scripts

htaccess maybe?

trillianjedi

10:25 pm on Nov 23, 2004 (gmt 0)

We have a couple of control panels on one site for various bits and pieces (including login info) which someone has hacked together a page for so that people can login to our site from theirs. I'm guessing he's using a CGI script that then hands all the info over to our site by calling the URL with all the variables in.

I don't like this - security etc.

Is there anyway I can stop it? Can I put something in htaccess that stops any of our php scripts being called from another domain?

Thanks,

<Added>

Here's what he's done on his page:-

Stuff like this really irritates the hell out of me.

I did mail him and ask him to stop incidentally, but no reply.....

</Added>

jonrichd

11:11 pm on Nov 23, 2004 (gmt 0)

How about examining the HTTP_REFERER variable, and if it's not from your domain, bounce the user back to where he came from.

It's not 100% foolproof, but if you want real security, you would need to put the page behind a username/password.

trillianjedi

11:17 pm on Nov 23, 2004 (gmt 0)

Thanks.

The page is behind a username/password. That's called from a login script, which is what he's replicated.

I'll try and block based on referrer - thanks. That should be a start.