This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 8 years ago.
Suppose, I am building website. I want the user to be able to access the index.php file only. I also have other files like www.mydomain.com/aboutus.php files and user can access them if he types this in his address bar. I want the user to be able to access www.mydomain.com only.
How are such security features built?
If I understand correctly that you want to allow them to only be able to access your index/root document (www.mydomain.com/index.php etc.) and not be able to type in: www.mydomain.com/aboutus.php it is fairly simple using the HTTP referrer to make sure that the page they came from was the right one:
Important note (edit): The $_SERVER type variables are susceptible to forgery by the client from something like cURL or even telnet and can be the basis for CSRF type attacks, so this is by no means a secure implementation vs. something like session tokenization.
aboutus.php at the very top:
<?php
// Put the url they came from
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://mydomain.com/index.php') {
die("Must come here from index");
// uncomment below to redirect them automatically
// header('location: index.php');
}
// Otherwise they came from index so show the page.
echo "Displaying about page:";
echo $content;
?>
Related
This question already has answers here:
Short way to link to http from https (and vice versa) using relative links
(6 answers)
Closed 5 years ago.
I want to use the full URL for the location of my css, js, and image files in my header.php file. So that when the header.php file is called from another folder directory, it doesn't break the link.
However, I want the site to be accessible by http and https, set by the user in their profile settings in the web application.
I started to write some code below of the solution but I'm not sure if this is the correct way of handling this.
config.php
<?php
// use https
$use_https = true;
?>
header.php
<?php
if ($use_https == true) {
$proto = "https://";
} else {
$proto = "http://";
}
?>
Link
The easiest way is to just do:
Link
Or since it's on your own server, just:
Link
Make sure to include the initial slash, so that it is relative to the root of your site, and not to the current page (this will prevent the link from breaking).
That being said, if your site works with https, you are probably better off just always using https, since you don't really have performance concerns anymore.
This question already has answers here:
Determining Referer in PHP
(5 answers)
Closed 8 years ago.
Im Kinda A Noob With PHP,
I want to keep my page accessible only from a link
etc. I only want to allow people who clicked a link to my page from example.com
and others like from google.com to redirect to another page on my site etc. a error message
How Could I Do This?
if(isset($_SERVER['HTTP_REFERER']))
$referer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
else
$referer_host = '';
if($referer_host != 'example.com')
{
header('Location: http://example.com/error');
exit;
}
People not sending (correct) referers for various reasons will be entirely excluded from your page.
Of course bookmarking your site etc. will also not work.
As headers can be faked by the client at will, I would not call this a "security" feature.
This question already has answers here:
CSRF (Cross-site request forgery) attack example and prevention in PHP
(4 answers)
Closed 9 years ago.
I have a form.php wich action call sql.php file like:
SQL.PHP
if ($_REQUEST['action'] == "add") {
}
if ($_REQUEST['action'] == "edit") {
}
I'm like to prevent direct access, because user can call from browser url: http://sql.php?action=add
One way is check if a submit. Seem work well.
if( isset($_POST['Submit']) && ($_POST['Submit'] == "Submit") )
{
echo "direct access not allowed";
}
There is better alternatives?
Use the $_SERVER['HTTP_REFERER'] array to detect if someone is accessing your page directly by typing in it into the browser, or comming from another one of your pages, by a use of links from a page.
So, basically.
if($_SERVER['HTTP_REFERER'] == 'about.php'){
//let user do something
}
So, the $_SERVER['HTTP_REFERER'] global stores information of the pages you visit, and if you place echo that code, in your page, it will tell you from which page your are comming from. meaning, that if you only typed the page and access it, it will give 0/false value.
So, you can use it to detect if someone is directly typing the page or comming from one of your pages.
As others have indicated already, using tokens, and sessions would be a better idea since this method can be manipulated. So, I recommend you google them out
It should be if(!isset($_POST['Submit']) . Also if you use method="POST", it does not throw your parameters like ?action=add at the browser. method="GET" does it.
This question already has an answer here:
Closed 10 years ago.
Possible Duplicate:
PHP redirect based on IP AND referrer
is it possible to redirect a user if they access the site from another location, what i want to do is when the user access the site from google, he will be redirected to the main site, but if he accessed the website from the link that came from the "main site" , a pop up window will appear that contains the restricted site, but since the user came from the "main site" he will be granted access.
any php or javascript will do, as long as it will check if the user came from the main site.
or if possible check from what "IP" the user came from to grant access?
Redirecting the user can be accomplished using the header() method and setting a "Location: " header for the new target. The conditional can be expressed by evaluating the Referer Header send by the client, this should be available in one of the PHP system variables, see http://php.net/manual/en/reserved.variables.server.php
Something along the lines of:
if (preg_match("/your-domain/",$_SERVER['HTTP_REFERER']) {
header('Location: /hidden_page.html');
} else {
header('Location: /');
}
should do the trick.
To redirect the google bot and that actions' implications see Does Google bot crawl entire site if there is a redirect and http://forums.digitalpoint.com/showthread.php?t=1210
For figuring out what's inside the variables and how to use regular expressions in PHP, use this example code
<pre>
<?php
echo $_SERVER['HTTP_REFERER']."\n";
echo $_SERVER['REMOTE_ADDR']."\n";
if (preg_match("/188.174.82.97/",$_SERVER['REMOTE_ADDR'])) {
echo "Yes";
} else {
echo "No";
}
?>
</pre>
in your script or something like phpfiddle.org
check $_SERVER['HTTP_REFERER'] variable in a conditional to see what the user's referrer actually is and then use header() method to actually redirect to another URL.
I have a web site which currently has over 900 html articles currently viewable to anyone. I want to change it to restrict viewing of certain articles by membership only. I have the articles in sql database with flag if restricted. There is an article index with links to each article. The process will be to check if article is restricted, check if user is member logged in, then display, otherwise send to login or subscribe pages. Since there is so many articles, I can't just add some php to not display if the article is accessed directly. My question is where in my web directory to I put these article pages, and how do you protect someone from directly accessing the page, but allow access once the user is authenticated? Any input is appreciated. Anyone know of good reference books on this either?
Move the files so that they're above your document root, and therefore inaccessible through the web server. Or, move the files to a directory which you protect with a password (.htaccess/.htpasswd pair). You never give out that password, it's only there to prevent direct access of the files.
Then, write a script which proxies the articles. That script checks if the user is logged in. If not, it redirects them to the login page. If it is, it reads the article HTML from its actual location, and sends it through.
Ex: http://www.example.com/article.php?view=cooking.html
session_start();
if (!isset($_SESSION['logged_in'])) {
header("Location: login.php");
} else {
readfile("/path/to/articles/" . $_GET['view']);
}
You'll want to do some kind of sanitation on $_GET['view'] to make sure it doesn't contain anything but the name of an article.
You can even keep your current URLs and links to the articles by rewriting them to the proxy script in your .httaccess/httpd.conf with mod_rewrite. Something like this:
RewriteEngine On
RewriteRule article/(.*)\.html articles.php?view=$1 [L]
If you don't already have any existing framework for PHP development that would help with security matters, you might consider something simpler than even using PHP to restrict access. Read up about .htaccess files, and how you can create a protected directory in which you could place all the restricted articles. Then you can setup user account and require people to authenticate themselves before they can read the restricted articles.
Here's a tutorial on how to setup .htaccess for user authorization/authentication:
http://www.javascriptkit.com/howto/htaccess3.shtml
You have a couple of basic options:
Add the code to each page. You can probably automate this, so its not as bad as it sounds. It really shouldn't be more than a single include.
Figure out how to get your web server software (e.g., apache) to do the authentication checks. Depending on how complicated your checks are, a mod_rewrite external mapping program may be able to do it. Other than that, there are existing authentication modules, or writing a fairly simple shim isn't that hard (if you know C)
Feed all page loads through PHP. This will probably break existing URLs, unfortunately. You pass the page you want to see as a parameter or part of the path (depending on server config), then do you checks inside your script, and finally send the page if the checks pass.
The simplest way would probably be to move all the aricle files outside the web root, and then use PHP to fetch them if the client is allowed to see it.
For example:
<?php
if (isset($_GET['id']))
{
$articleDir = "/var/articles/";
// Assuming a "?id=1" query string is used to pass a numberic ID of
// an article. (Like: example.com/showArticle.php?id=1)
$articleID = (int)$_GET['id'];
$articleFile = "article_{$articleID}.html";
// Look through your SQL database to see if the article is restricted.
// I'll leave the codeing to that up to you though.
if (!$isRestricted || $isLoggedIn)
{
$path = $articleDir . $articleFile;
if (file_exists($path))
{
include $path;
}
else
{
echo "The requested article does not exist.";
}
}
else
{
echo "You have to be logged in to see this article.";
}
}
else
{
echo "No article ID was passed. Did you perhaps follow a bad link?";
}
?>
Note that if you want to keep the old links alive, you can use Apache's mod_rewrite to rewrite incoming requests and route them to your PHP file.
Edit
This may help if you are new to mod_rewrite and/or regular expressions:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^article_(\d+)\.html$ fetchArticle.php?id=$1 [L]
</IfModule>
Routs any link such as example.com/article_123.html to example.com/fetchArticle.php?id=123 without the client noticing it.
Similar to what Dan Grossman did, but this one fetches only numbers.