2
Add this code somewhere at the beginning of register.php maybe after:
if (empty($xoopsConfigUser['allow_register'])) {
redirect_header('index.php', 6, _US_NOREGISTER);
exit();
}
//List of allowed domain referrals seperated by comma
$allowed_domains = array('www.domain1.com', 'www.domain2.com');
//Was HTTP_REFERER set by browser?
if ($_SERVER['HTTP_REFERER']) {
$ref_info = parse_url($_SERVER['HTTP_REFERER']);
//Check that REFERER is in the list of allowed domains
if (! in_array($ref_info['host'], $allowed_domains)) {
redirect_header('index.php', 4, 'Invalid HTTP_REFERER host');
exit();
}
} else {
// HTTP_REFERER was not sent by browser, display error
redirect_header('index.php', 4, 'HTTP_REFERER not sent by browser');
exit();
}
Many software firewalls will strip the HTTP_REFERER field from the page request, making this protection spotty at best. In addition you'll probably want to change the error messages in to something more user friendly.