This question already has answers here:
Short way to link to http from https (and vice versa) using relative links
(6 answers)
Closed 5 years ago.
I want to use the full URL for the location of my css, js, and image files in my header.php file. So that when the header.php file is called from another folder directory, it doesn't break the link.
However, I want the site to be accessible by http and https, set by the user in their profile settings in the web application.
I started to write some code below of the solution but I'm not sure if this is the correct way of handling this.
config.php
<?php
// use https
$use_https = true;
?>
header.php
<?php
if ($use_https == true) {
$proto = "https://";
} else {
$proto = "http://";
}
?>
Link
The easiest way is to just do:
Link
Or since it's on your own server, just:
Link
Make sure to include the initial slash, so that it is relative to the root of your site, and not to the current page (this will prevent the link from breaking).
That being said, if your site works with https, you are probably better off just always using https, since you don't really have performance concerns anymore.
Related
We have a website whose home page is http://bigbird.comp.nus.edu.sg/pmwiki/farm/appl/index.php As you see, it is based on pmwiki.
We find CSS, JS and other resources are loaded over http. That is because links generated by pmwiki's php files are prepended with http://. We want to remove the prepended http://. Links will become like:
<script src="//example.com/script.js"></script>
Which pmwiki's php files should we modify?
Steve finds the right link. Just need to find all urls in /local/config.php and modify them as follows:
if ($_SERVER["HTTPS"] == 'on') {
$FarmPubDirUrl = 'https://www.example.com/~someuser/pmwiki/pub';
} else {
$FarmPubDirUrl = 'http://www.example.com/~someuser/pmwiki/pub';
}
No need to modify the http:// links in your webpages. I have not done further research. I guess the code means: if the page is requested via https, the related url become https links.
More detailed explanations are welcome.
According to PmWiki.PathVariables and WikiFarms, the $FarmPubDirUrl and the related $FarmD variables are the ways PmWiki refers to static content.
I have been learning php recently and i found this strange statement that i tried to figure out but did not understand it well.
This is the URI that i found
<?php
$datei = file("http://www.abc.de/cms/index.php/pps.html");
foreach($datei AS $stellenangebote)
{
echo $stellenangebote;
}
?>
Now the question that i am trying to understand is that how come it reach the .html page while it has .php before it ?
And if this is a technique then What is it's name ? And why would i use such style ?
This is an Apache thing called PathInfo. It's activated if you have set AcceptPathInfo, which it usually is by default. You can then access the part after the file name through $_SERVER['PATH_INFO'].
There's more information available in the answers to "What exactly is PATH_INFO in PHP?"
This technique is used to create a single entry point to the application.
This allows you to control the flow of you application - all requests are processed by index.php, so you have one place to load classes, initialize objects etc.
Most modern php based sites will use this technique (it is central to the MVC paradigm used in the vast majority of modern web frameworks), though many hide the actual index.php file in the ur using Apache mod_rewrite or similar for other webservers.
As mentioned by fiskfisk, this can be achieved by accessing the request path. A simple example used to load files from a non web accessible location for authorized users:
<?php
$path = $_SERVER['PATH_INFO'];
//if user is authorized, include file from OUTSIDE of webroot
if(isset($_SESSION['auth']) && ($_SESSION['auth'] > 3)){
include '../' . $path;
}else{
die('you are not authorized to see this file');
}
As to the official name for this technique, i am not sure, but google "php single entry point" or "php route through index" should help.
This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 8 years ago.
Suppose, I am building website. I want the user to be able to access the index.php file only. I also have other files like www.mydomain.com/aboutus.php files and user can access them if he types this in his address bar. I want the user to be able to access www.mydomain.com only.
How are such security features built?
If I understand correctly that you want to allow them to only be able to access your index/root document (www.mydomain.com/index.php etc.) and not be able to type in: www.mydomain.com/aboutus.php it is fairly simple using the HTTP referrer to make sure that the page they came from was the right one:
Important note (edit): The $_SERVER type variables are susceptible to forgery by the client from something like cURL or even telnet and can be the basis for CSRF type attacks, so this is by no means a secure implementation vs. something like session tokenization.
aboutus.php at the very top:
<?php
// Put the url they came from
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://mydomain.com/index.php') {
die("Must come here from index");
// uncomment below to redirect them automatically
// header('location: index.php');
}
// Otherwise they came from index so show the page.
echo "Displaying about page:";
echo $content;
?>
This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 9 years ago.
I am building a web app and I use am using a lot of include files to build most of my pages.
For example:
The page profile.php includes about.php, timeline.php, photos.php
Now, I want to send a user to my 404 page if they try to go to one of my include files directly. How can I do this?
Going to localhost/timeline.php should redirect the user to the 404.
My thought was to write an IF Statement in those include files that checks to see if the file is being opened directly, is that even possible?
Fast and dirty:
Define a constant inside of profile.php, and check if it exists inside of the included files:
if (!defined("SOME_CONSTANT")) {
//Redirect or send a 404 header
}
Slower but better
Get your files which have no meaning as a standalone file in a web context out of the web root (usually a www or htdocs folder).
You can use a simple if statement
if(!defined("SECURE")) {
header("HTTP/1.0 404 Not Found", true, 404);
include("404_Not_Found.html"); //include the 404 page
exit;
}
Making sure that on your included pages, you define the secure constant.
Define a constant in your front controller and check if it is set in the other files.
In your front controller at the top:
define("IN_APP");
Then in your other pages before any processing:
if(defined("IN_APP")) { die(header('HTTP/1.0 404 Not Found', true, 404)); }
A better option however is to put your other files in a subdirectory and deny access to it with a .htaccess file containing, the following code.
Order deny,allow
deny from all
This will still allow php to include the files, but will block anyone from accessing them from the web.
I have a website that was written assuming http:// is one and only protocol forever. Now i bought a SSL certificate but when i visit site calling it with https:// i get info in browsers that part of site is insecure. As i found i have some JS, CSS and images and files that i refer to using http:// in the HTML of the site.
So what is best practice to enable full https? Should i change my website in every place when i refer to image, CSS or JS, check if site was loaded with http or https and load the resource with according protocol? It seems like a lot of work for me and bit error prone. Is there any other way, easier to make the whole site fully secure?
Rather than linking to your css, js, and images with http://yoursite.com/css/file.css just use relative paths such as /images/image.jpg and /css/file.css this way it will work with both http and https, also if you change domains or copy your content to another domain, you shouldn't have to change all those links either.
Use relative paths. If you are pointing to something that is on the same site as yours, then you should not be using http://
If for some reason you still need to have http:// then just switch them all to https://. An http:// will never complain because it is pointing to https:// stuff, but an https:// page will complain if it is pointing to non-https stuff.
If you are pointing to content outside of your control, on another site for example, then you need to hope that you can get at that content via https instead. If you can't, then you're hosed and you either need to live with the error, get the content from somewhere else, or proxy the content through your own https connection.
To complement #drew010 's answer, you could use other domains and still refer to the current protocol with //, something like:
<img src="/pics/home.png" />
<img src="//my-cdn.com/pics/info.png" />
The latter example will point to https://.. from https://your-site.com and http://... from http://your-site.com.
the best practice would be either using relative path rather than absolute but sometimes absolute is a better option so you can do the following :
as I can imagine you have a file called config.php or common.php (a file that stores your common used vars and you include it in every page), so put this code there :
function selfURL() {
$s = empty($_SERVER["HTTPS"]) ? ''
: ($_SERVER["HTTPS"] == "on") ? "s" : "";
$protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s;
$port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI'];
}
function strleft($s1, $s2) {
return substr($s1, 0, strpos($s1, $s2));
}
and then you can assign a var called $http to get the value of the function like :
$http = selfURL();
and then whenever you want to include anything like images, css, etc do something like :
<img src="<?=$http?>images/sample.png" />
this method is reliable as it works in any situation.