Jump to content

Stop Direct Access To A Php Page?


kensbeijing
 Share

Recommended Posts

Hi, how do I prevent people directly linking to specific php pages? Like in Joomla they use

defined('_JEXEC') or die('Restricted access');

How does this work and is this secure?Also how do I prevent people from posting indirectly? On the form action php page, how do I make sure the post is coming from a specific url or something?

Link to comment
Share on other sites

First problem:

if ($_SERVER['REQUEST_METHOD'] != 'POST'  ) {	// redirect somewhere else}

Second

if ($_SERVER['HTTP_REFERER'] != 'http://www.example.com/example.php') {	// redirect somewhere else}

Note that this is minimum security that depends on a user's knowledge of http protocols. Anything can be faked, and anyone determined to get that page will do so. But that's a small number of people, even smaller if you're not hiding anything valuable. If you have major security issues, then you need to look at password/login methods.

Link to comment
Share on other sites

Joomla uses a defined constant to indicate that you're not allowed to run an included file by itself. If you have a page with something like this in it:

<?phpdefined('SEC_CHECK') or die('not allowed');echo 'welcome';?>

If you run that in a browser you'll see the error. If you set up a page that defines that constant and then includes the page, then it will run fine:

<?phpdefine('SEC_CHECK', true);include 'page2.php';?>

So checking for a defined constant stops people from directly running a script that should be included by another page.

Link to comment
Share on other sites

Isn't saying "define('SEC_CHECK', true);" and "defined('SEC_CHECK');" the same as saying "$SEC_CHECK = true;" and "if(!isset($SEC_CHECK)){exit;}"? What if the page that says "define('SEC_CHECK', true);" is linked to? then people can access the script, right? If you had the other page contain HTML content, or have it randomly add in line breaks, then it would make it harder for people to file to steal the output of the script you protected... I will have to look in to constants.

Link to comment
Share on other sites

In this case you could use either a constant or a variable. Most people use constants, probably out of habit from stuff like C.

What if the page that says "define('SEC_CHECK', true);" is linked to?
There is a massive difference between linking to a page and including it. There's also a massive difference between including a page on the same server and including a page on a different server. Run some tests and see what happens.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...