Avoid users from opening a php page by directly entering parameters

Question

I have a php file which takes in a path and file name and opens a page. Users are able to enter the path and file name directly in the url rather than navigating through the main menu page. Users also are able to change parameters in the url and view other text files which he is not supposed to view. I need to prevent users from changing the url and entering the page directly.

Can anyone help me with a way to avoid users from entering the page directly changing the parameters the url.

Answer 1

1. You can use the $_SERVER['HTTP_REFERER'] server variable which referred the user agent of the current page. This is to check whether the user navigate from your website or directly hit the URL.

2. You can't control the users to change the request parameters.

Hope this will help you.

Answer 2

You can encode the parameters of the url.
Instead of having var1=a&var2=b, you can have something like var=thhr6tghfdgfe56
Your users wont be able to guess the encoded format and they will be forced to use your page/menu.
Keep track of which user id tries to access an illegal encoded url - block him after X tries.

Answer 3

You can't control what resources users request.

Solve the real problem instead:

Users also are able to change parameters in the url and view other text files which he is not supposed to view

• Authenticate the user so you know who they are
• Authorise the user so you know if they are allowed to view the file they are asking for
• Give them an error message if they are not