I have a php file which takes in a path and file name and opens a page. Users are able to enter the path and file name directly in the url rather than navigating through the main menu page. Users also are able to change parameters in the url and view other text files which he is not supposed to view. I need to prevent users from changing the url and entering the page directly.
Can anyone help me with a way to avoid users from entering the page directly changing the parameters the url.
You can't control what resources users request.
Solve the real problem instead:
Users also are able to change parameters in the url and view other text files which he is not supposed to view
Authenticate the user so you know who they are
Authorise the user so you know if they are allowed to view the file they are asking for
Give them an error message if they are not
You can encode the parameters of the url.
Instead of having var1=a&var2=b, you can have something like var=thhr6tghfdgfe56
Your users wont be able to guess the encoded format and they will be forced to use your page/menu.
Keep track of which user id tries to access an illegal encoded url - block him after X tries.
You can use the $_SERVER['HTTP_REFERER'] server variable which
referred the user agent of the current page. This is to check
whether the user navigate from your website or directly hit the URL.
You can't control the users to change the request parameters.
Hope this will help you.
Related
Hello! I am trying to put together a landing page that will allow individuals to visit, enter an access code, and be redirected to a directory that corresponds to the access code. For example, access code is 12345, user is redirected to example.com/12345 upon submit. We will be using direct links for the most part, but in the event that someone hits a 404 or try to visit the root directory, we want to have an interface for returning to the project / an alternative way for people to access the page.
What might be the best way to redirect a user after they enter the access code in the form?
Thanks for your advice!
It's really hard to say what the 'best' solution would be as it's open to interpretation. Here's what I would do.
Instead of routing to a specific page, I would route them to a controller that includes the code and/or content from the user directory. This will allow you to secure any contents of the user directories through server configurations, and give you better programmatic control of what happens when something goes wrong.
The user key should be set to a session key but if you don't want to do that, you could set it to a POST or GET parameter just as easily.
if(array_key_exists("user",$_SESSION)){
include_once("/".$_SESSION['user'].".php");
//use the included file if it won't automatically run itself
}
else{
echo "error - missing user key";
}
I have an index.php page and a dashboard.php page. After entering credentials, user logs into the dashboard.php.
Now i want to display a QR code which can be used by the user to directly log into dashboard.php using his phone.
This can be achieved if I somehow encode the session values in the QR code. But is it possible to do so? I have only managed to store the url of the page to index.php
You need to use QRcode class to achieve what you want..
may be below links can help you out..
http://qrcodescript.com/
http://www.sitepoint.com/generate-qr-codes-in-php/
http://phpqrcode.sourceforge.net/
If you're showing the QR to a user that has logged in, you can use the session hash and encode it in the QR code you show to the user as a GET parameter (site.com/qrlogin.php?code=123456). The session data needs to be on the server (so no cookies, no local storage, etc...). This is used if you want the user to log in using the phone while he's also logged in from a computer. Pretty harmless.
However, if you want a more permanent solution, there is nothing you can do that won't pose a security threat (the app has no way of knowing who scanned the code).
I want to restrict direct access to my website by entering url directly in browser in php.
Actually i search many more, all are saying use .htaccess file
but i want to restrict only those user which are entering that url directly in browser
Example:
my website having directory "payment" which is used for payment process.
when any user does shopping then my website automatically will go to that directory for payment process but if any one enters that same url in browser i want to restrict that and redirect it to home page
please help me
Thanx
You have to use a variable to say your user has the right to enter a part of your website.
For example : $_SESSION['access_page']['payment'] = true;
Then, you check this variable when a user loads a page and redirect him if necessary (or 403).
I am developing an application in php that contains a lot of html pages that doesnot require user log in for viewing (a requirement actually). The pages are placed in different folders that are highly predictable. e.g www.abc.com/book1/chapter1/lesson1.php, www.abc.com/book1/chapter1/lesson2.php etc.
Hence if someone knows the path to lesson 1, he automatically knows the path to every other lesson in the chapter folder.
Is there a way that if there's a request for www.abc.com/book1/chapter1/lesson1.php, the path shown in the browsers address bar is something like www.abc.com/book1/chapterHFG564/6756/lesson1.php or any other unpredictable URL? i dont even know if it's possible or not!
You could make an MD5 hash of the relative path of the page URL + the server timestamp to make an unpredictable string (let's call this a "page key"), and then store the page key + relative URL association in a persistent store (relational database, or - for speed - constant database) for later lookup.
Then you could write a script (like "http://www.abc.com/page_mapper.php") that takes a "key" parameter, looks up the relative URL for the specified key, reads the associated content (if there is any), and "passes it through" to the client.
Finally, you could add a URL rewriting rule to map incoming requests (e.g. "http://www.abc.com/book1/chapter2/abCvx9100xvz==") to your script (e.g. "http://www.abc.com/page_mapper.php?key=abCvx9100xvz==") and you'd be all set.
Of course then anyone who knows the URL can access the page, but maybe you want that?
i.e. is it OK if user A emails a link (that she can see) to user B and user B can see it?
When it's unpredictable, it's impossible to do so. You can direct all urls to one php file which would then redirect user to correct url
Not sure if u can encode urls in that way... but u could certainly get all scripts to redirect to another MEGA script and use session variables or files to check and see where the user is comong from.. and proceed accordingly. Once the MEGA script directs to another page, it saves a session variable first.. which u can check once the redirect landing page opens up.
i am trying to access a webpage. I manage to get the redirect webpage session id as shown:
http://www.sbstransit.com.sg/mobileiris/(tqkjtlnqkh2lw5v4rz4yurzf)/mobresult_svclist.aspx?stopcode=16101
I added mobresult_svclist.aspx?stopcode=16101 after the session id to retrieve the information.
However, i could not access the page and keep been redirected to the root url: http://www.sbstransit.com.sg/mobileiris/(tqkjtlnqkh2lw5v4rz4yurzf)/index_nextbus.aspx?__redir=1.
Do anyone know how to prevent that redirection to the root url using php or any other codes? Thanks.
You cannot. If the server sends a redirect header, you can of course choose not to follow it, but the page body would still be empty if the server side doesn't generate it.
You would like to have access to data the webmaster doesn't want you to have. Just contact the webmaster and ask for it to achieve this in a proper way.