Reputation: 63
How to prevent direct access to php pages through URL
I have index.php that include pages like
<?php
define('MyConst', TRUE);
include_once('template/header.php');
if (!empty($_GET['action'])) {
$action = $_GET['action'];
$action = basename($action);
include("template/$action.php");
} else {
include("template/main.php");
}
include_once('template/footer.php');
?>
With in a template directory I have main.php which has link to other pages like page1.php, page2.php.
<a href="?action=page1">Goto page 1</a>
<a href="?action=page2">Goto page 2</a>
How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?
Upvotes: 0
Views: 5381
Answers (6)
Reputation: 278
You can redirect to your domain home if 'HTTP_REFERER' not include your server
<?php
//Avoid url direct access
if (strpos($_SERVER['HTTP_REFERER'], 'yourdomain.com') !== FALSE) {
//Your code
} else {
echo '<meta http-equiv="Refresh" content="0; url=https://yourdomain.com" />';
die();
}
?>
Upvotes: 0
Reputation: 3829
As per your Question:
There are two approaches that you can follow:
- Use
HTTP_REFFRERand check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page. - Use
$_SESSIONbut this approach can be harmful asSESSIONwill always be there untill browser / instance closed.
So better to go for 1st approach. And also as per Pehaa, you can not check id URL is typed
Upvotes: 0
Reputation: 133
Maybe you can try this, On your index.php :
session_start();
if(! isset($_GET['action']))
{
$_SESSION['pageAccess'] = true; # Set the key whatever you want
}
then under that script (we need that session_start() used twice) :
if(isset($_GET['action']))
{
if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
exit('There is no direct access allowed.');
}
Hope this help, have a nice day.
Upvotes: 0
Reputation: 3295
If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.
Upvotes: 1
Reputation: 72642
You can not. What you want is simply not possible.
For the server side there is no way to know whether an URL is typed or clicked.
Upvotes: 1
Reputation: 75619
Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.
Upvotes: 0
Related Questions
- Prevent PHP code from executing if form was not submitted
- preventing direct access to a php page, only access if redirected
- deny access php page but still make it possible to be included
- prevent direct url access
- Disable direct access to certain files (include)
- Prevent access to php pages
- php script prevent direct access
- Disable direct access to php page but allow the access if reached from specific page
- Preventing direct access to php files
- prevent direct access to a php include