Forum Moderators: phranque
I have been reading this stuff for hours and though I'm happy to say that htaccess has gone from a huge fuzzy mess, to something somewhat less fuzzy, I'm still lost here. I need to protect a product I sell from being sneakily stolen from my site.
Basically, I use a script and clickb_k to sell some products. Someone has discovered (wish it had been me) that they could pay the price of a cheaper product but still get a more expensive product delivered to them. Here's how it goes:
Buy Now button URL:
http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/2/Product/product2.zip
They come in, hover over the button, see the status bar and resulting URL and type /1/ in place of /2/. So they type:
http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/1/Product/product2.zip
Unfortunately, that's the level of the security behind this wonderful script I purchased, however that's what I have to work with. So, how can I use htaccess to write the any of the above URLs containing any other number but the number associated to the product? For example,
/1/Product/ = product1.zip = 24.95
/2/Product/ = product2.zip = 39.95 etc, and
/5/Product/ = product5.zip = 4.99
I thought to avoid this problem I could rewrite all urls containing the word 'product1.zip' to:
http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/1/Product/product1.zip
Then, regardless of what they type, be it /3/product1.zip or 101/product5.zip, they will only be sent the the single URL that is associated to the product.
I've tried:
redirect 301 http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/1/Product/product2.zip http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/2/Product/product2.zip
as an example to try to get it working and that does nothing for me. I still just type the /1/product2.zip and get product2 for the price of product 1.
I've also tried many redirect rules too but nothing works. I KNOW this has to be so simple but why will nothing work? Is it because the URLs in question are not physical directories? I would really appreciate any help anyone might have to offer.
Thnx
[edited by: jdMorgan at 6:14 am (utc) on Aug. 9, 2005]
[edit reason] Obscured specifics & de-linked. [/edit]
You need to change your published URLs to prevent this from happening; There's no simple redirect solution that will work without producing an infinite loop if you keep the same URL-paths.
Since you'll have to do that, I suggest the following comprehensive solution:
Assume that you do not have a physical directory named "Products" (this path element is arbitrary, but needs to be unique).
Change all on-page URLs from this format:
http://www.mysite.com/script.php?order=http://www.clickb_k.net/sell.cgi?vendorID/2/Product/product2.zip
to this format:
http://www.mysite.com/Products/product2
Then create an internal rewrite
RewriteRule ^Products/product([0-9]+)$ /script.php?order=http://www.clickb_k.net/sell.cgi\?vendorID/$1/Product/product$1.zip [L]
This will prevent the problem you are having, and completely hide the name of your script and all associated parameters (including your vendor ID) from the user. The *only* data he sees will be the "Products/product" path and the single instance of the product number.
Now, to prevent direct-access hacking to your actual script, add:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /script\.php\?order=http://www\.clickb_k\.net/sell\.cgi\?vendorID/[0-9]+/Product/product([0-9]+)\.zip
RewriteRule ^script\.php$ http://www.mysite.com/Products/product%1? [R=301,L]
You can use a multi-file search-and-replace tool to edit the URLs on all of your pages if they are static. If your pages are dynamic, either change the URLs in the database or use php preg_replace to modify the links on the pages as needed. Your site's security will be much better...
Once you have this working, I'd suggest you ask for a new vendor ID, since you have published yours, and the bad guys may still be able to cheat you by going straight to clickb_k using your ID.
Obviously, the above may need some tweaking to work with your real URLs, but I hope it illustrates the method.
Jim
[edited by: jdMorgan at 6:29 am (utc) on Aug. 9, 2005]
product([0-9]+
will not work because that was just a rewritten example of a product name. In reality my products, of which there are about 300, are all uniqely named. So one product might be called blue-widget.zip and the next will be pink-porcelain.zip and so on...
Any idea how this would factor in? Sorry, I should have been more specific with that point. I just didn't think it would be that involved.
Thank you very much for sharing your knowledge!
Small changes, though, to handle variable product names:
RewriteRule ^Products/([a-z\-]+([0-9]+))$ /script.php?order=http://www.clickb_k.net/sell.cgi\?vendorID/$2/Product/$1.zip [NC,L]
#
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /script\.php\?order=http://www\.clickb_k\.net/sell\.cgi\?vendorID/[0-9]+/Product/([a-z\-]+[0-9]+)\.zip [NC]
RewriteRule ^script\.php$ http://www.mysite.com/Products/%1? [NC,R=301,L]
Oh, and beware of line-wrapping. the RewriteRules and RewriteConds are all one line each, and won't work if copied while wrapped to more than one line.
Jim
The product names will be like:
blue-widget.zip
red-velvet.zip
letters and hyphens only, maybe sometimes numbers but very seldom and that could be manually changed easily enough.
the way the script actually works though is that it goes off of clickb_k. I setup a category at a set price, say #1 is $20. Then any item that I sell for $20 I can put in /1/Product/whatever.zip.
Then cat #2 might be $35 so though I have many items selling for $35 my script url will be /2/Product/something-else.zip
And, that's how it's setup to work. What you said about the number thing threw me so I'm not positive that I was being clear enough, but hopefully so. Does all you've said so far still stand?
Thanks again! This is so enlightening.
/1/Product/one-item.zip
/1/Product/something-entirely-different.zip
/1/Product/still-another.zip
/1/Product/and-so-on.zip
Trying to be excruciatingly precise here. :)
