Gossamer Forum
(Advanced Search)
for
Home : Products : DBMan : Customization :

Question for JPDeni?

Jun 8, 1999, 5:24 AM
Novice
Novice (12 posts)
Jun 8, 1999, 5:24 AM
Post #1 of 14
Views: 4053
Shortcut
Quote Reply
Question for JPDeni?
Hi..I would like to limit database enteries to my website site only..I have a situation where people have captured my submission form and are posting data from their sites ..but its screwing up my dates, id key etc...so I would like to have my script accept data from my site form only.....what code is required and where should it be positioned...thanks..Novice Rob

[This message has been edited by Novice (edited June 08, 1999).]

[This message has been edited by Novice (edited June 08, 1999).]
Jun 8, 1999, 5:50 AM
JPDeni
Veteran / Moderator (8669 posts)
Jun 8, 1999, 5:50 AM
Post #2 of 14
Views: 3965
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
I haven't come across this before, but there is some code from Matt Wright's FormMail script that might help.

First, you would need to add a line to your .cfg file that listed your domain --

Code:
# @referers allows forms to be located only on servers which are defined #
# in this field. This security fix from the last version which allowed #
# anyone on any server to use your FormMail script on their web site. #

@referers = ('www.server.com');

If you have more than one possibility, separate the possiblities with commas

Code:
@referers = ('www.server.com','server.com');

In db.cgi, after the line that starts with

if ($@) { &cgierr ("Error loading required libraries.

add

&check_url;

Somewhere in db.cgi (anywhere, as long as it's not within another subroutine) add the following:

Code:
sub check_url {

# Localize the check_referer flag which determines if user is valid. #
local($check_referer) = 0;
local($host);

# If a referring URL was specified, for each valid referer, make sure #
# that a valid referring URL was passed to FormMail. #

if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1;
}

# If the HTTP_REFERER was invalid, send back an error. #
if ($check_referer != 1) {
if ($ENV{'HTTP_REFERER'} =~ m|^https?://([\w\.]+)|i) {
$host = $1;
print qq|
Content-type: text/html
<html>
<head>
<title>Bad Referrer - Access Denied</title>
</head>
<body bgcolor=#FFFFFF text=#000000>
<center>
<table border=0 width=600 bgcolor=#9C9C9C>
<tr><th><font size=+2>Bad Referrer - Access Denied</font></th></tr>
</table>
<table border=0 width=600 bgcolor=#CFCFCF>
<tr><td>The form attempting to use DBMan resides at <tt>$ENV{'HTTP_REFERER'}</tt>,
which is not allowed to access this cgi script.<p>

If you are attempting to configure DBMan to run with this form, you need
to add the following to \@referers, in your .cfg file.<p>

Add <tt>'$host'</tt> to your <tt><b>\@referers</b></tt> array.<hr size=1>
</td></tr>
</table>
</center>
</body>
</html>
|;
}
else {
print qq|
<html>
<head>
<title>Bad Referrer - Access Denied</title>
</head>
<body bgcolor=#FFFFFF text=#000000>
<center>
<table border=0 width=600 bgcolor=#9C9C9C>
<tr><th><font size=+2>Bad Referrer - Access Denied</font></th></tr>
</table>
<table border=0 width=600 bgcolor=#CFCFCF>
<tr><td>The site you came from is not allowed to access DBMan
<hr size=1>
</td></tr>
</table>
</center>
</body>
</html>
|;
}
}
exit;
}

I know this works in FormMail and I haven't made many changes to it, but I can't be sure it will work in DBMan. I did test it for syntax errors, but that's all I can promise.

Give it a shot!

------------------
JPD





Jun 8, 1999, 6:11 AM
Novice
Novice (12 posts)
Jun 8, 1999, 6:11 AM
Post #3 of 14
Views: 3990
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hi JPDeni..thanks for the quick response..I
followed as dircted...keep getting server error upon execution..double checked all the obvious..thanks Rob
Jun 8, 1999, 6:25 AM
JPDeni
Veteran / Moderator (8669 posts)
Jun 8, 1999, 6:25 AM
Post #4 of 14
Views: 3971
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hmmmmmm. The subroutine compiles just fine on my computer version of Perl.

Try taking out the subroutine. You should get a "fatal" cgi error that the subroutine doesn't exist. If so, it's a problem that I can't see with the subroutine. If not, it's a problem somewhere else.


------------------
JPD





Jun 8, 1999, 6:36 AM
Novice
Novice (12 posts)
Jun 8, 1999, 6:36 AM
Post #5 of 14
Views: 3968
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hi again..Took out sub as directed ..got fatal error..then tried leaving sub in and removed &check_url; ..no fatal error ..perl seems to have a problem with &check_url;
thanks again...Rob

Jun 8, 1999, 7:09 AM
JPDeni
Veteran / Moderator (8669 posts)
Jun 8, 1999, 7:09 AM
Post #6 of 14
Views: 3955
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hmmmmmmmmmmmmmmmmmmm. That's really odd. But you've been doing some good debugging.

Maybe you need to move the

&check_url;

line.

Try it after

if ($db_benchmark) { $t0 = new Benchmark; }

If you still get the error, try using

&check_url();

although that shouldn't make a difference, one never knows!



------------------
JPD





Jun 8, 1999, 12:03 PM
Novice
Novice (12 posts)
Jun 8, 1999, 12:03 PM
Post #7 of 14
Views: 3974
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hi JPDeni...relocated &check_url; , however when I run the script I get the following print out instead of displaying the form as it should. what do you think???..Rob


Content-type: text/html
<html>
<head>
<title>Bad Referrer - Access Denied</title>
</head>
<body bgcolor=#FFFFFF text=#000000>
<center>
<table border=0 width=600 bgcolor=#9C9C9C>
<tr><th><font size=+2>Bad Referrer - Access Denied</font></th></tr>
</table>
<table border=0 width=600 bgcolor=#CFCFCF>
<tr><td>The form attempting to use DBMan resides at <tt>http://canadacentre.com/jobscan7/index.shtml</tt>,
which is not allowed to access this cgi script.<p>
If you are attempting to configure DBMan to run with this form, you need
to add the following to @referers, in your .cfg file.<p>
Add <tt>'canadacentre.com'</tt> to your <tt><b>@referers</b></tt> array.<hr size=1>
</td></tr>
</table>
</center>
</body>
</html>
Jun 8, 1999, 12:36 PM
dahamsta
User (429 posts)
Jun 8, 1999, 12:36 PM
Post #8 of 14
Views: 3958
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hi there,

It loos as if the script has already printed the headers, but has sent text/plain instead of text/html. I think the only place that tex/plain is called is in cgi_error. Weird that. Maybe you put &checkurl inside a subroutine by mistake. Where did you put it?

adam
Jun 8, 1999, 1:14 PM
JPDeni
Veteran / Moderator (8669 posts)
Jun 8, 1999, 1:14 PM
Post #9 of 14
Views: 3958
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
I think you should add 'canadacentre.com' to your @referers array.

Also, try taking out the html code from the error message.

This is all trial and error. Smile

------------------
JPD





Jun 8, 1999, 4:37 PM
Novice
Novice (12 posts)
Jun 8, 1999, 4:37 PM
Post #10 of 14
Views: 3962
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hi again ....well I have tried all the above suggestions ...got the scripts to function without the server fatal error...however the script doesn't seem to detect excluded URL's...maybe you could give it a try..thanks
Rob


[This message has been edited by Novice (edited June 09, 1999).]
Jun 8, 1999, 7:54 PM
JPDeni
Veteran / Moderator (8669 posts)
Jun 8, 1999, 7:54 PM
Post #11 of 14
Views: 4029
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
I don't even know how to access the script from another referrer. I wouldn't know how to test it.



------------------
JPD





Jun 9, 1999, 1:01 AM
Novice
Novice (12 posts)
Jun 9, 1999, 1:01 AM
Post #12 of 14
Views: 3961
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Good Morning...a rather simple solution to my off-site posting problem occurred to me this AM..the captured forms that are being used have a hidden date field generated by the default.cfg at time of capture...if I had a small script placed in db.cgi that would compare the incoming form date to the current server date, if equal then accept if not equal then reject...your assistance is truly appreciated...thanks Rob
Jun 9, 1999, 8:44 AM
JPDeni
Veteran / Moderator (8669 posts)
Jun 9, 1999, 8:44 AM
Post #13 of 14
Views: 4014
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Excellent solution!


------------------
JPD





Jun 10, 1999, 5:44 PM
Eliot
Deleted
Jun 10, 1999, 5:44 PM
Post #14 of 14
Views: 3968
Shortcut
Quote Reply
Re: Question for JPDeni? In reply to
Hello, Novice. Well, I tested your script and I was able to "succesfully" add the submission to your site. There was no error message. I temporarily placed a web page on my server using your web page and it worked.

You have raised some serious issues regarding security and maintaining integrity of the database. I appreciate you bringing this to our attention.

I do have one question..WHY are you using DBMAN for a directory of Internet resources??? LINKS 2.0 seems like a better program for what you are attempting to provide. LINKS 2.0 allows you to "verify" links before "publicly" submitting the "records" or "entries". Also, the LINKS 2.0 program allows more functions than DBMAN in terms of search options, extras (like Top Sites, Cool Sites, and What's New), and easier administration (through templates).

I would recommend switching programs.

------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us