CODEWITHSUNDEEP
javascriptphpsrc
user2824618
user2824618

Reputation: 31

How to know if php file is being called within a src="..."?

In my website I have

<script src="js.php"></script>

Question is very simple but I have no idea of the answer:

Within js.php, how can I check if the file has been called though a script src="..."?

Purpose is to change the returned HTML code of js.php depending on how this php script file is called (direct access or script src="...").

Upvotes: 3

Views: 1102

Answers (2)

yergo
yergo

Reputation: 4990

Cool question. Let me help ya.

I'll provide here some not 100%-reliable methods, that will work in standard, non-user-malicious cases.

First

For this solution you will be required to download mimeparser from here. It's your choice what kind of mimeparser you want to use, I found this just ad-hoc for purpose of this answer.

Theory

In theory browser is sending headers, that your script during response should match for proper browser-side parsing. Especially I have here in mind HTTP_ACCEPT header.

Code example

Once you have downloaded mimeparser, lets start with creating file test.php:

<?php // test.php

//https://code.google.com/p/mimeparse/
include_once('mimeparse.php');

$mimeMatch = Mimeparse::best_match(array('text/javascript', 'text/css', 'text/html', 'application/xhtml+xml', 'application/xml', 'image/*'), $_SERVER['HTTP_ACCEPT']);

switch($mimeMatch) {
    case 'text/javascript': // via <script src>
        echo('alert("this is loaded as script");');
        break;
    case 'image/*': // via <image src>
        header('Location: https://i.sstatic.net/sOq8x.jpg?s=128&g=1');
        break;
    case 'text/css': // via <link href>
        echo('body::before{content: "this is written via CSS"}');
        break;

    default:

        var_dump('detected standard file request by matching to ' . $mimeMatch);

        // if __FILE__ is first on a list, its not included
        if(__FILE__ !== array_shift(get_included_files())) {
            var_dump('file was included or required');
        } else {
            var_dump('file runs on its own');
        }

        // additional detect for ajax request.
        if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
            var_dump('loaded via AJAX request');
        } else {
            var_dump('loaded via not-AJAX request');
        }

        break;
}
die();

You can visit it by now, to see that script detects, its loaded directly:

string 'detected standard file request by matching to text/html' (length=55)
string 'file runs on its own' (length=20)
string 'loaded via not-AJAX request' (length=27)

Inclusion - feature showdown

To see, whats happening with script in some special cases, you can create an example index.php:

<html>
<head>
    <link rel="stylesheet" type="text/css" href="test.php"/>
</head>
<body>

<script src="test.php"></script>
<img src="test.php"></img>

<?php require('test.php'); ?>

Description

By parsing some standard-behavior headers sent from browser, we can predict loosely, what was context of page load. It's not 100% reliable and not a very good practice, but great for writing rootkits ;) anyway.

Hopefully rest is commented-out in PHP code.

Tested with Apache serving and Chrome reading.

Upvotes: 2

Ali
Ali

Reputation: 3461

The way to do it would be to assign a session variable to true right before you call the js.php file

session_start();
$_SESSION['src'] = true;
<script src="js.php"></script>

Then in the php file

session_start();
if(isset($_SESSION['src']) && $_SESSION['src'] == true) {
    // file was called from a src
    $_SESSION['src'] = false; // this is important so that it can't be called from direct access
}

Upvotes: 2

Related Questions