Redirecting web file to local file?

[MachineCode]

My app reads a file from a website with an URL like "www.example.com/data.php" to get some data. This data is not intended to be stored on the user's local hard disk, but generated in the PHP file on-the-fly. But if they edited their Windows HOSTS file, could they make my app somehow redirect the "www.example.com" address to their own PC somehow, to a local version of the PHP file with static settings?

[jerico2day]

Yes. There's no way to circumvent this type of behavior. If it's on the client side, they can really do whatever they want to your program.

[Lush]

You could pass some variables to the php script and use them to perform a check (whatever calculations you want to make) and return the result.

You would do the same calculations in your PB app with the same values and compare the two results.

If they're different, tell the user there's a problem with the server.

[MachineCode]

As an example, let's use the web address "http://www.purebasic.com/news.php" for a moment. Can someone make my app load a local file off their hard drive, instead of downloading the content of that address, if my app uses this code?

Code: Select all

url$="http://www.purebasic.com/news.php" ; Assume this string is encrypted.
ReceiveHTTPFile(url$,"c:\news.php")

So, what I mean is, can they trick my app into making "c:\news.php" just be a copy of another local file on the hard drive, and NOT the actual URL contents at all? So that my app only THINKS it downloaded the php file, but in reality it was just created as a copy of a local file?

[Lush]

The "easy" way to achieve this would be to

1) redirect "http://www.purebasic.com" to 127.0.0.1 in Windows's HOSTS file
2) set up a web server with php (such as easyphp or wampserver)
3) have a local news.php file (plain text, no code necessary) to be served to your app

Depending on the kind of app you're building, and if the users have enough motivation to try and trick your app, you should definitely add some kind of check when you get the php file contents.

With your example, even a simple "http://www.purebasic.com/news.php?a=5&b=6" that would return the result of 5 x 6 with the news feed would be enough to defeat the local file trick (provided you change a and b values on every call)

[MachineCode]

Thanks Lush, for the detailed explanation.

[Nituvious]

There are a few things you can do that will try to circumvent this kind of behavior.

Here are a few ideas:
1) Do a CRC check on the executable to check for any edits(this is still easily by-passed, though)
2) Compress / Encrypt the website address and sent/received data
3) Relay through sockets instead of downloading anything.

The third option will probably be unavailable to you because most web hosts don't allow the use of PHP sockets

[jerico2day]

I just want to point out that these are great ideas, but a determined hacker can reverse engineer your program and either remove the checks or add the checks to their own php script.

But it will stop hackers for the most part unless someone takes a personal interest in your program.