This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 9 years ago.
I have a PHP file that queries my database and then returns information in XML format back to my application. Right now, if I just go to the URL in the browser and put in the proper parameters in the URL, the information is shown right to me. Is there a way that I can make the PHP page ONLY accessible through the application(iOS and Android)? I have searched, and the only thing that I can find is making the page only accessible through includes, but I don't see how this would restrict the access if the person figured out the php page that included the file. Any suggestions are appreciated!
Thanks
Almost any restriction you put on it will essentially come down to "Put something in the request that only the application will send".
The basic approach would be "Keep the URL secret". If only the application knows about it, then only the application can make a request to it. Anything else (passwords, API keys, custom HTTP headers, user-agent sniffing, etc) is just complexity around the same concept.
Making the request over HTTPS instead of HTTP will protect the secret from exposure to sniffing.
Nothing can save you from decompilation though.
You could add a custom http header in your client request inside your app with a challenge code. Your script detects the header and verifies the challenge. If the verification is passed, you execute the script, otherwise you return a 403 Forbidden.
Rather not. In fact everyone can insert false data in his browser information and you wouldn't find out if this is Microsoft Internet Explorer on Windows 95 or Chrome on Android phone.
You may try to block by IP number, but this is not blocking application, but the user.
The only idea I have is to use some user/password login things, which only your application would know, but it has its own security holes (like man-in-the-middle).
Related
I searched for the answer for my question but I couldn't find exactly what I wanted.
If you find a duplicate of this please send me it!
I have a couple of files in my website that are used to do background functions that I don't want anyone to access them- not even the admin. for example files like PHPMailer.php, login-inc.php logout-inc.php and more.
I need a way to prevent anyone from accessing those pages and not prevent them from working when triggered by buttons/forms.
I'm aware that using a session can redirect not logged users, although, here, I need to prevent everyone from accessing the pages by redirecting them or sending them to a 404 page.
what do I need to use to do that?
thanks!
Update: I'm very new to web coding so sorry for the confusing question, I wanted to block users from entering some pages by entering their location with a link for example I don't want users to be able to access tokens/passwords...
Using .htaccess solves my problem. thank you.
One way to protect your files to be called by web server is to move them out of site webroot directory. That way there is no way that someone access the with web browser and you still can include them. It's common solution.
Other way is to intercept web server requests and i.e. forbid some of them, redirect some others and so on. I.e for Apache web server you can do that inside .htaccess file. You have to allow that in website settings.
For your specific case, with those buttons:
You'll have to use .htaccess (or equivalent) to intercept all requests to those files. Then redirect those request to some php script, with also saving passed parameters.
Then your PHP script should decide what to do with that request...reject it (redirect to 404 page) or allow access.
For that your buttons, should pass some kind of pass code. So your PHP script can check, when it's called if valid pass code is provided (allow access) or not (redirect to 404).
Now making that pass code that can't be manipulated could be tricky, but generally you must invent some formula to generate them (based i.e. on current time) so PHP script could you the same formula to check it's validity.
Other way is to i.e. to do some JS action when button is pressed (i..e write some cookie) and PHP script will check for that JS action result (cookie exists or not).
This may be a question someone has already asked. (If it is I'm sorry, I could not find another question like this.)
I designed a webapp on PHP-NODEJS-Static HTML. I send a form from the static HTML to the NODEJS app to get approved. If approved I want the nodejs application to redirect to a php page. I already have the nodejs application up on heroku, and it is designed so if it is approved, it automatically redirects to a php page. The problem is that I only want the redirects from the server to be able to display the php page if that makes any sense. How do I go around doing this.
You'll need to have your nodejs, before redirecting, create a secure one-time token. The token should be embedded into the URL pointing to the PHP server (the one that the browsers will follow for redirect), and stored in a database (probably associated with an expiration, umm, say 5 minutes?).
When PHP page receives the request, it should extract the token from the URL, and validate whether the token exists, and only proceed further then. PHP page should also remove the token once used. You will need some sort of a database to store the token, I would recommend Redis, as it has an automatic expiration of keys, so you don't have to worry about clean up, or clogged database.
I'm attempting to automatically download content at regular time intervals from a site requiring users to log in. The content I'm seeking to download is a small .js file (<10 kb).
As the site will display the desired data only when I'm logged in, I'm unable to simply use functions such as urlwrite (in MATLAB) to download the data.
I'm not sure whether the libcurl library in PHP would be able to solve the problem easily.
As suggested in the answer to this similar question (Fetching data from a site requiring POST data?), I've tried to use the Zend_Http_Client, but haven't been able to get it to work.
In summary, I'd like help on automatically downloading URL content from a site requiring user log-in (and presumably submission of cookies).
In addition to this, I'd appreciate advice on which software is best for automated download of such data at regular time intervals.
(If you do require the exact URL I am trying to download from to test a solution, please leave a comment below.)
It depends on the type of login the site uses. If it uses HTTP authentication you use curl option CURLOPT_HTTPAUTH (see setopt, http://php.net/manual/en/function.curl-setopt.php) Otherwise, as said, you use COOKIEJAR and possible COOKIEFILE.
Another option is the standalone utility wget. The FAQ contains a nice explanation of both login methods http://wget.addictivecode.org/FrequentlyAskedQuestions#password-protected
If this is the first time you use curl: don't forget to set CURL_RETURNTRANSFER to true (if false the content is send to stdout) and CURL_HEADER to false to get the content without headers.
I your only concern is login, rather than cookies in general. Check the answer to this question : How do I use libcurl to login to a secure website and get at the html behind the login
I'm afraid that you're all gonna need to reach over and put on your "this-is-a-dumb-question" hat, but I can't find a legitimate answer online.
I can find all sorts of crazy info on sending cURL requests to a site and have them send back a response and processing that response.
My question is I want to BE the site that receives this cURL requests. How do you set up a page to process those types of requests? How does it work?
I ask because in the near future I will need to integrate this into a project I'm working on. Other sites will send me info that I'll need to process and store in a database. Ideally, I'll probably need something to handle HTTP POST requests and obviously I'll need to know what security measures I'll need to take as well. It also would be nice to know how to fire back a response to the person who's making the request. I also will need to know how to configure user authentication....such as with:
curl_setopt($request, CURLOPT_USERPWD, "Username:Password");
I feel silly asking, but I can't figure out the right search keywords to use to look up this kind of info. Even just a link to a relevant site would be appreciated.
Thanks in advance. You all rock.
All that cURL does is act as a user agent. Any user agent can access a php page.
So to be the site that receives cURL requests (or to have such a page) all you really need to do is create a normal php page that would work as if a user were using it. Whoever is using cURL to make the request will have to know what data you are expecting on your end.
If you want to use CURLOPT_USERPWD for authentication, you have to set up apache (or whatever server you are using) to password protect that page. This can't be done in the php script directly. However, the php script can have it's own form of authentication either instead of or in addition to this authentication. There are millions of ways to do this (openssl for example, or just anticipating a static string depending on how secure you want to be).
This question already has answers here:
Closed 13 years ago.
Possible Duplicate:
HTTP authentication logout via PHP
Hi
I have a some functionality on my website protected using .htaccess and .htpasswd.
When users attempt to access this, they get prompt to enter details. They enter their details and get in and can see stuff etc. All works fine.
My question is how do I create a logout functionality for this type of authentication. I know that they can close the browser window to "Logout". But this is not ideal. What would you suggest to me?
Thanks.
Tested on firefox and chrome. What you can do is send the user to http://logout:logout#example.com. This will replace their current username/password with logout/logout (it could be any invalid user/pass combination) and since they now have the wrong username/password, they will have to login again to access the site.
On opera this does not work, because you can have several usernames/passwords at the same time. It didn't work on IE either, because IE does not appear to support http://username:password#example.com URLs.
Browsers usually don't support this, see How do I log out?
Since browsers first started
implementing basic authentication,
website administrators have wanted to
know how to let the user log out.
Since the browser caches the username
and password with the authentication
realm, as described earlier in this
tutorial, this is not a function of
the server configuration, but is a
question of getting the browser to
forget the credential information, so
that the next time the resource is
requested, the username and password
must be supplied again. There are
numerous situations in which this is
desirable, such as when using a
browser in a public location, and not
wishing to leave the browser logged
in, so that the next person can get
into your bank account.
However, although this is perhaps the
most frequently asked question about
basic authentication, thus far none of
the major browser manufacturers have
seen this as being a desirable feature
to put into their products.
Consequently, the answer to this
question is, you can't. Sorry.
There are browser extensions that allow you to clear the HTTP authentication for a site.
For Firefox the WebDeveloper extension (which is one of my favourtie extensions anyway) offers this feature.
The menu for this is Miscellaneous/Clear Private Data/HTTP Authentication.
I ran into this issue several years ago. It is incredibly frustrating to discover there is a problem everyone is having and no one seems to want to solve in a general way.
As noted in Inadequate Logout functionality in HTTP Authentication I think the answer is to change the RFC to allow timeouts and support a log out button. The author's additional suggestion that the server be able to send a "log out" header would actually eliminate the need for any client user agent support since websites could simply include a link on a web page to a URL that returns the necessary response code and/or header to invalidate the current session.
It IS kind of possible to log out. You should implement logout page, which will return HTTP 401, until the user enter BAD login information, and then redirect somewhere else. Browser remembers the latest login information accepted, and therefore overrides correct login.
But this is kinda unusable, cos it needs user's cooperation.