I have the following code in my index.php page:
<?php include("/includes/widgets.php") ?>
And in my widgets.php page:
<?php
header("Location: /");
?>
What I want to achieve with this is to redirect it if the user visits it, but allow it for including.
But I get the following error:
The webpage has a redirect loop
How can I fix/prevent the redirect loop, but still redirect the user and not the server.
Place the widgets.php file in a folder not accessible to HTTP clients. I.e on apache webserver, either put it above your document root (into it's parent) or use .htaccess file to block users from it.
e.g.
deny from all
I think I know what you need :)
Change code index file to next
define("IS_INDEX", true);
include("/includes/widgets.php"
Change code for widgets.php to next
if (!defined("IS_INDEX")) {
header("Location: /");
exit();
}
The issue is you are redirecting back to the same page, which then redirect again, and again, and again.
An easy fix would be to wrap the redirect in an if, and only redirect if they aren't already on the index page; but this is just patching what looks like an architectural problem.
Something like:
if (ltrim($_SERVER['REQUEST_URI'], '/') != 'index.php')
header('Location: index.php');
One way is to check if __FILE__, which is the file loaded, regardless of included or not matches up with the file requested which is in $_SERVER['REQUEST_URI'] (or $_SERVER['PHP_SELF']).
I use this on our development site in a page that is usually included to get the output as debugging.
if(basename($_SERVER['PHP_SELF'])===basename(__FILE__)){
//do some debugging
}
Typically you wouldn't use basename, but this is on a non-public facing development site and the file has a pretty unique name so I'm not worried about the file being included with another file with the same name or anything.
One possible way is to add a parameter to the redirection, e.g.
if (!$_REQUEST['redirect'])
header("Location: /ìndex.php?redirect=1");
That way redirection can happen only once.
Another way is to stop redirection if the user already is on the /. I´d suggest to combine both.
Related
the dilemma I have is my website index.php calls to a template php file on a button press like this:
case 'main':
$page = getTemplate('main.php', array('user'=>$user));
echo $page;
break;
This main.php template file is in a folder in "/var/www/template/" How do I stop people going to: domain.com/template/main.php and viewing the code for that page. I think the solution would be to make the localhost be able to pull the it and display it rather than the user or something along those lines. Any help would be appreciated thank you.
Like a comment said, the PHP file will not be printed, it will print the HTML result that the php file produce.
Maybe it produces some errors indicating vulnerabilities to a potential attacker ? If that's your case, you should handle this directly into the php code or use a .htaccess at the root of your site. You can't find some help there.
How to deny access to a file in .htaccess
Managed to fix this by putting this at the top of the php page I wanted to render:
<?php
if (!isset($_GET['page'])) {
header('Location: /main');
exit();
}
?>
This means if someone goes "domain.com/template/main.php" to attempt to view the source code, it will redirect them back to the main webpage for my site. Thanks for your suggestions however.
So, I made a simple PHP login, but when I tried to redirect like this:
$path = $_SERVER["DOCUMENT_ROOT"];
header("Location: $path/admin/index.php");
it seemed like it did nothing, but after I refreshed the page I was logged in.
After I changed my code to this:
header("Location: ../admin/index.php");
it works.
Could someone please explain this to me?
Ps. sorry for my bad english
The header is sent to the browser, so it is not an internal server maneuver. And with it not being an internal redirect, you don't deal with internal paths. When you use DOCUMENT_ROOT you will get the internal server path to the directory where your files are located.
If you want to reference the root of the site as a URL, just use /.
header("Location: /admin/index.php");
header("Location: /"); # go to homepage, for example
Your .. worked because you probably were on a subdirectory, and .. was translated to the parent directory which is where admin is.
$_SERVER["DOCUMENT_ROOT"];
returns path like /var/www/html/yourfolder/, but you have to redirect to website.com/yourfolder/ or localhost/yourfolder/.
hence that won't work.
Have you tried printing the value of $path?
the value of $path is relative to the actual file location
e.g. $path = '/c/inetpub/sites/example/main/'
You probably wanted something like '/c/inetpub/sites/example/' or '/c/inetpub/sites/example/main/..'
Supposed the page is example.com/blog/data.php. I am using file_get_contents to get the content in another script page. Now, i want to:
Forbid google search to crawl and index the data.php page.
Forbid the visitor to access it
Is there a way to achieve this?
You can redirect to another page if the request url is example.com/blog/data.php, but a far easier and more logical solution would be to move the file out of your web-root.
Edit: If you really want to keep the file inside the web-root, you can use something like this at the top of the script that you don't want to access directly:
if ($_SERVER['REQUEST_URI'] === $_SERVER['SCRIPT_NAME'])
{
header('Location: /'); // redirect to home page
}
However, this will probably not work in combination with file_get_contents (you need to remove these lines from the result), you could include the file instead.
Don't put data.php under the web root. Keep it in a parallel directory.
You can pass token via GET. Overall your way is slightly wrong. Why don't you incorporate the data.php logic in the script that is calling it.
Simply apply access restriction for authorized users only. You are able to do it in the most simple way by accessing your page using url parama as password:
example.com/blog/data.php?secret=someblah
and in the first of your file data.php do the following:
<?php
if (!isset($_GET['secret']) || $_GET['secret'] != 'someblah')) exit();
?>
However,It is recommended, don't use this from public computer becuase it is not secure but it is the primitive authentication principle.
What is the best way to "NOT" display a page directly in php?
Edit
There is a page = register.php
a user cant open register.php directly. Only can access from index.php > Register.php
Thanks
Any PHP files containing sensitive data, such as database password, should be stored outside of the document root and included where needed. That way, if an admin makes a serious mistake and the web server starts sending PHP unparsed, that data will be inaccessible.
Edit
You edited your question and it now seems you wish to prevent access to page without them coming from a particular page. You should be able to get some ideas from these questions:
deny direct access to a php file by typing the link in the url
preventing direct access to a php page, only access if redirected
I think you want something like this:
if ( $_SERVER['HTTP_REFERER'] != 'http://YOUR_SITE/index.php' ) {
echo "Can't access this page from this referer";
die();
}
// go on with your register.php code
You can put
die();
or
exit();
At the top of your PHP document. However, your question is unclear as to what you wish to accomplish.
You can start a session in index.php and check for a certain variable from that session in the other pages.
make a file index.php
in it put
<?php
include 'register235235235235.php';
?>
make a file register235235235235.php
put whatever you want in there
As far as securing php includes, I only secure my database.php files which contain usernames and passwords.
Where do you use the command header()?
I have the following code at handlers/handle_login.php. The user has gone to the site from index.php which is the starting place.
if(!$logged_in){
header("Location: index.php");
die("You are not logged_in");
}
If if-clause is true, I get a 404 error, since the header puts me to to handlers/index.php, instead of index.php.
While I agree with nilamo and earl, I hope I can give a bigger picture:
Using relative paths can have very strange effects depending on where the browser
'thinks' it is in your site hierarchy. For example, assume the site has an index file '/index.php' but is configured to accept module and action in the URI path. You may very well have a url that looks like:
http://www.yoursite.com/forms/contact/
From this situation, returning a header like:
header("Location: index.php");
may very well cause the browser to try to request
http://www.yoursite.com/forms/contact/index.php
which is obviously not what you want. For this reason, it's generally better to use '/index.php' as recommended above, or even better use the fully qualified URL when possible.
Hope this helps.
Set the location to the complete URL of the index.php, not just the filename. According to php.net, this is the right way to do it, don't use relative paths. Here is an example:
if(!$logged_in){
header("Location: http://exampledomain.com/index.php");
die("You are not logged_in");
}
Try using '/':
if(!$logged_in){
header("Location: /index.php");
die("You are not logged_in");
}
Without a slash, it is assumed that you're referring to something in the current directory. By sticking that slash at the front, you're explicitly referring to the file at the root of the site. Since the page is 'index.php', you could just as easily use "header('Location: /')".