This question already has answers here:
CSRF (Cross-site request forgery) attack example and prevention in PHP
(4 answers)
Closed 9 years ago.
I have a form.php wich action call sql.php file like:
SQL.PHP
if ($_REQUEST['action'] == "add") {
}
if ($_REQUEST['action'] == "edit") {
}
I'm like to prevent direct access, because user can call from browser url: http://sql.php?action=add
One way is check if a submit. Seem work well.
if( isset($_POST['Submit']) && ($_POST['Submit'] == "Submit") )
{
echo "direct access not allowed";
}
There is better alternatives?
Use the $_SERVER['HTTP_REFERER'] array to detect if someone is accessing your page directly by typing in it into the browser, or comming from another one of your pages, by a use of links from a page.
So, basically.
if($_SERVER['HTTP_REFERER'] == 'about.php'){
//let user do something
}
So, the $_SERVER['HTTP_REFERER'] global stores information of the pages you visit, and if you place echo that code, in your page, it will tell you from which page your are comming from. meaning, that if you only typed the page and access it, it will give 0/false value.
So, you can use it to detect if someone is directly typing the page or comming from one of your pages.
As others have indicated already, using tokens, and sessions would be a better idea since this method can be manipulated. So, I recommend you google them out
It should be if(!isset($_POST['Submit']) . Also if you use method="POST", it does not throw your parameters like ?action=add at the browser. method="GET" does it.
Related
I have index.php that include pages like
<?php
define('MyConst', TRUE);
include_once('template/header.php');
if (!empty($_GET['action'])) {
$action = $_GET['action'];
$action = basename($action);
include("template/$action.php");
} else {
include("template/main.php");
}
include_once('template/footer.php');
?>
With in a template directory I have main.php which has link to other pages like page1.php, page2.php.
Goto page 1
Goto page 2
How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?
You can not. What you want is simply not possible.
For the server side there is no way to know whether an URL is typed or clicked.
If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.
Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.
Maybe you can try this, On your index.php :
session_start();
if(! isset($_GET['action']))
{
$_SESSION['pageAccess'] = true; # Set the key whatever you want
}
then under that script (we need that session_start() used twice) :
if(isset($_GET['action']))
{
if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
exit('There is no direct access allowed.');
}
Hope this help, have a nice day.
As per your Question:
There are two approaches that you can follow:
Use HTTP_REFFRER and check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page.
Use $_SESSION but this approach can be harmful as SESSION will always be there untill browser / instance closed.
So better to go for 1st approach.
And also as per Pehaa, you can not check id URL is typed
This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 8 years ago.
Suppose, I am building website. I want the user to be able to access the index.php file only. I also have other files like www.mydomain.com/aboutus.php files and user can access them if he types this in his address bar. I want the user to be able to access www.mydomain.com only.
How are such security features built?
If I understand correctly that you want to allow them to only be able to access your index/root document (www.mydomain.com/index.php etc.) and not be able to type in: www.mydomain.com/aboutus.php it is fairly simple using the HTTP referrer to make sure that the page they came from was the right one:
Important note (edit): The $_SERVER type variables are susceptible to forgery by the client from something like cURL or even telnet and can be the basis for CSRF type attacks, so this is by no means a secure implementation vs. something like session tokenization.
aboutus.php at the very top:
<?php
// Put the url they came from
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://mydomain.com/index.php') {
die("Must come here from index");
// uncomment below to redirect them automatically
// header('location: index.php');
}
// Otherwise they came from index so show the page.
echo "Displaying about page:";
echo $content;
?>
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP login then redirect
I've just made a php login page. Upon entering their data, the information is submitted back to the same page where validation occurs.
I'm just not sure how i go to my content page after this is done.
Do i use a require statement that only runs if validation is successful?
I read a similar post on SO and the solution was:
public void redirect(mixed $url, boolean $terminate=true, integer $statusCode=302)
But im not really sure what im supposed to put where, and which of those terms i literally enter versus which terms are placeholder values that im supposed to fill with something. Also not sure if $url can be filled with a relative url like memberpage.php.
Some clarification would be greatly appreciated.
edit:
Wait...public void... isnt that java terminology?
On successful login, set whatever $_SESSION variables you need (if appropriate), then redirect using:
header ("Location: mypage.php");
Remember, you need to send this header before outputting (echoing) anything.
You could try to add a redirect in your header. Code would be something like this:
login_validator.php
validation code
if(isvalid(login)){
header('Location: loggedin/welcome.php');
}else{
some other handler;
}
So, if I'm getting this right, you have a user input information, and hit submit - that form then posts to itself where you have php at the top that says something like
<?PHP
if(isset($_POST[name]){
//input everything
}
?>
If this is true, you can just put a line that say something like this:
header('Location: http://www.yoursite.com/new_page.html') ;
inside, at the very bottom of that previous if statement.
I have 2 script. That's :
registration.html
process_registration.php
Sometimes someone open the link direct into process_registration.php, so how can I prevent that ?
Process_registration.php function is to save the data get from input from registration.html.
Any idea ?
You can use :
if (!isset($_POST['field'])) {
die();
}
at the top of your process_registration.php file.
Of course, replace field by one of your existing fields in your form.
If you're against flooders that does register several accounts using scripts, you may use a captcha field on your registration form, or use protections against crawling.
Just another method:
if (empty($_POST)) {
exit("Direct access not allowed");
}
Just more flexible with the object names. For extra security, you should put this in your form:
<input type="hidden" value="9957374" name="hiddenvalidate" />
and in your script:
if (!isset($_POST['hiddenvalidate']) || $_POST['hiddenvalidate'] != 9957374) {
exit("Direct access not allowed");
}
You can check if the current request is a POST type (if you use a form)
if($_SERVER['REQUEST_METHOD'] == 'POST')
and you can also check if all required variables are set.
You can use $_POST array in process_registration.php for this like :
if(!isset($_POST['yourvariable'])){
//Redirect to registration page
}
You can also use PHP Session for it. If session is not set then redirect user to registration page.
I like the way Joomla handles this issue.
On every php page in Joomla, you will see the following code:
// No direct access
defined('_JEXEC') or die; // it's a config setting
Only the top-level pages have this variable included in them. All other files, if opened directly, close, thereby preventing any accidental misuse/data loss.
This question already has answers here:
Detecting request type in PHP (GET, POST, PUT or DELETE)
(14 answers)
Closed 9 years ago.
How can I check if the request is a post back in PHP, is the below ok?
if (isset($_POST["submit"]))
where submit is the name of the <input type="submit" />
That will work if you know and expect such a submit button on the same page.
If you don't immediately know anything about the request variables, another way is to check the request method:
if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST')
As pointed out in the comments, to specifically check for a postback and not just any POST request, you need to ensure that the referrer is the same page as the processing page. Something like this:
if (basename($_SERVER['HTTP_REFERER']) == $_SERVER['SCRIPT_NAME'])
You want $_SERVER['REQUEST_METHOD'] == 'POST'.
Yours is a very similar although less general question than this one.
This is probably a better approach than actually checking a post variable. For one, you don't know whether that variable will be sent along. I have the hunch that some browsers just won't send the key at all if no value is specified. Also, I'd worry that some flavors of PHP might not define $_POST if there are no POSTed values.
If you want to have a generic routine without dependency "method" (post/get) and any other names of the forum elements, then I recommend this
<?php
$isPostBack = false;
$referer = "";
$thisPage = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
if (isset($_SERVER['HTTP_REFERER'])){
$referer = $_SERVER['HTTP_REFERER'];
}
if ($referer == $thisPage){
$isPostBack = true;
}
?>
now the if $isPostBack will be true if it is a postback, false if not.
I hope this helps
Yes, that should do it.
Careful when you're using image type submits, they won't send the name attribute in some browsers and you won't be able to detect the POST. Smashed my head against the desk a few times until I realized it myself.
The workaround for that is to add a hidden type input as well.
Yes. You could also use if(array_key_exists('submit', $_POST))