Reputation: 3072
How to prevent a PHP page from being accessed directly?
Below is a javascript snippet that I am using as part of a AJAX script. How do I prevent user_back_end_friends.php from being accessed directly? I don't want people to be able to go to domain.com/user_back_end_friends.php and see a list of friends.
Javascript Code:
<script type="text/javascript">
$(document).ready(function() {
$("#user_friends").tokenInput("/user_back_end_friends.php", {
theme: "sometheme", userid: "<?php echo $id; ?>"
});
});
</script>
This is what I found but not sure how to implement it with the javascript code above:
I use this in the page I need to call it in:
$included=1;include("user_back_end_friends.php");
When I have to prevent direct access I use:
if(!$included){ die("Error"); }
But how do I add this $included part of the script in my javascript code?
Upvotes: 3
Views: 2161
Answers (3)
Reputation: 50570
I have done the following. Note that this is NOT the most secure, as other answers have mentioned, you can't completely block access to this script (link to an easy bypass is provided), but for my simple purposes this that worked very well -
define('_REFERURL', 'http://www.example.com'); // This is the full URL of your domain that will be calling your PHP script(s)
Then create a function that checks the referring URL (which should be from your domain)
function allow_user()
{
if ($_SERVER['HTTP_REFERER'] == _REFERURL)
{
return true;
}
else
{
return false;
}
}
Use:
if (allow_user())
{
// Do things
}
else
{
// Alert, direct access attempted
}
Easy by pass: http://www.datatrendsoftware.com/spoof.html
Upvotes: 0
Reputation: 12332
You cannot completely block access to this script by the very nature of the web.
You can check for referrer information, input validation, you could create a session variable on the parent page that's checked on the child page.
Upvotes: 0
Reputation: 91744
There is no point in protecting javascript code, you need to protect only the server-side code.
Anyway, I think your approach is not the right one; if you already have a logged-in user / a user ID, I would just use the user ID from the session instead of a user ID that is supplied by the javascript. That way there is no way anybody can tamper with it.
So you could start your page with:
session_start();
if (isset($_SESSION['user_id'))
{
// do stuff with the user ID
}
else
{
// display error message?
}
Upvotes: 11
Related Questions
- Prevent Direct access to PHP file using AJAX
- Deny direct url access to php file that is called on ajax
- PHP - Only allow access via AJAX
- Prevent access to a php script that uses AJAX
- Ensure PHP page can only be called via AJAX from my page
- Prevent direct access to a PHP page
- Block direct access to PHP file except from AJAX request?
- Protecting php page from being opened in browser only
- Disallowing PHP file to be accessed directly
- how to protect php page used by jquery ajax call