I have 2 script. That's :
registration.html
process_registration.php
Sometimes someone open the link direct into process_registration.php, so how can I prevent that ?
Process_registration.php function is to save the data get from input from registration.html.
Any idea ?
You can use :
if (!isset($_POST['field'])) {
die();
}
at the top of your process_registration.php file.
Of course, replace field by one of your existing fields in your form.
If you're against flooders that does register several accounts using scripts, you may use a captcha field on your registration form, or use protections against crawling.
Just another method:
if (empty($_POST)) {
exit("Direct access not allowed");
}
Just more flexible with the object names. For extra security, you should put this in your form:
<input type="hidden" value="9957374" name="hiddenvalidate" />
and in your script:
if (!isset($_POST['hiddenvalidate']) || $_POST['hiddenvalidate'] != 9957374) {
exit("Direct access not allowed");
}
You can check if the current request is a POST type (if you use a form)
if($_SERVER['REQUEST_METHOD'] == 'POST')
and you can also check if all required variables are set.
You can use $_POST array in process_registration.php for this like :
if(!isset($_POST['yourvariable'])){
//Redirect to registration page
}
You can also use PHP Session for it. If session is not set then redirect user to registration page.
I like the way Joomla handles this issue.
On every php page in Joomla, you will see the following code:
// No direct access
defined('_JEXEC') or die; // it's a config setting
Only the top-level pages have this variable included in them. All other files, if opened directly, close, thereby preventing any accidental misuse/data loss.
Related
I have index.php that include pages like
<?php
define('MyConst', TRUE);
include_once('template/header.php');
if (!empty($_GET['action'])) {
$action = $_GET['action'];
$action = basename($action);
include("template/$action.php");
} else {
include("template/main.php");
}
include_once('template/footer.php');
?>
With in a template directory I have main.php which has link to other pages like page1.php, page2.php.
Goto page 1
Goto page 2
How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?
You can not. What you want is simply not possible.
For the server side there is no way to know whether an URL is typed or clicked.
If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.
Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.
Maybe you can try this, On your index.php :
session_start();
if(! isset($_GET['action']))
{
$_SESSION['pageAccess'] = true; # Set the key whatever you want
}
then under that script (we need that session_start() used twice) :
if(isset($_GET['action']))
{
if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
exit('There is no direct access allowed.');
}
Hope this help, have a nice day.
As per your Question:
There are two approaches that you can follow:
Use HTTP_REFFRER and check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page.
Use $_SESSION but this approach can be harmful as SESSION will always be there untill browser / instance closed.
So better to go for 1st approach.
And also as per Pehaa, you can not check id URL is typed
This question already has answers here:
CSRF (Cross-site request forgery) attack example and prevention in PHP
(4 answers)
Closed 9 years ago.
I have a form.php wich action call sql.php file like:
SQL.PHP
if ($_REQUEST['action'] == "add") {
}
if ($_REQUEST['action'] == "edit") {
}
I'm like to prevent direct access, because user can call from browser url: http://sql.php?action=add
One way is check if a submit. Seem work well.
if( isset($_POST['Submit']) && ($_POST['Submit'] == "Submit") )
{
echo "direct access not allowed";
}
There is better alternatives?
Use the $_SERVER['HTTP_REFERER'] array to detect if someone is accessing your page directly by typing in it into the browser, or comming from another one of your pages, by a use of links from a page.
So, basically.
if($_SERVER['HTTP_REFERER'] == 'about.php'){
//let user do something
}
So, the $_SERVER['HTTP_REFERER'] global stores information of the pages you visit, and if you place echo that code, in your page, it will tell you from which page your are comming from. meaning, that if you only typed the page and access it, it will give 0/false value.
So, you can use it to detect if someone is directly typing the page or comming from one of your pages.
As others have indicated already, using tokens, and sessions would be a better idea since this method can be manipulated. So, I recommend you google them out
It should be if(!isset($_POST['Submit']) . Also if you use method="POST", it does not throw your parameters like ?action=add at the browser. method="GET" does it.
I need to create a landing page that's dynamic to information picked up by a form that executes a php script.
Person submits form > PHP Code sends me an email > PHP code that displays information
I have a hidden input in every form that identifies what form it is, and depending on what the value or "identification" of the form a specific code on the php is executed using a switch and I thought that maybe I could use that same identifier to execute another switch on the page after that. My problem is I don't know how to carry that value or identifier from one php to the other.
So just to reiterate, I want to know how to move or copy variables from one php to another, after mail() is executed.
Im using $request to get those variables
Keep this source form identifier and render it into your new form identifier field. It will deliver the response form with same identifier
after you do your Mail() thing, call a function that runs whatever you want.
If the classes or functions you want to run are not available you must include or require them.
I'm not 100% sure about what you are asking for, but due the comments I'll make a try to answer it.
When I create forms I usually have one page with the actual form and another page that handles the data. When the data is handled I simply redirect the user back to the form and then give them feedback.
The reasons I'm using two separate pages are the following:
I like to keep the code for the form and the handler separated.
Users can't accidently submit the form again by refreshing the page.
The same handler can be used by eventual Ajax and uphold progressive enhancement.
An extremely simplified example below.
form.php:
<?php
//Start session
session_start();
//If the session variable has been set
if($_SESSION['remember'])
{
## DISPLAY FEEDBACK ##
}
else
{
## DISPLAY FORM ##
}
//Delete the session variable
unset($_SESSION['remember']);
?>
req.form.php
<?php
//Start session
session_start();
//If a form has been submited
if(isset($_POST['submit']))
{
## HANDLE THE DATA ##
//Set a session variable
$_SESSION['remember'] = true;
//Redirect the user back to the form
header('Location: /form.php');
exit;
}
?>
I have several forms brought in via jQuery .ajax funciton. In the parent page I start a session like this
<php
session_start();
$_SESSION['authenticated'] = 'yes';
?>
then in the form that is loaded have a check like this:
<?php
session_start();
if($_SESSION['authenticated'] != 'yes') {
header("Location: http://www.google.com");
}
?>
I know its not the best, but it's an attempt to stop people form accessing the forms directly. The problem is that if you go to the parent page, then you can enter the form URL and get there because the session was started when you hit the parent page. How can I destroy the session or remedy this issue?
Effectively, you can't.
To make it more complicated, don't request the form URLs directly. Try to request authorize tokens per request of the main page:
If you generate the main page and you know the form to be requested beforehand, then generate tokens e.g. using md5(time().rnd()), associate each with one you your forms and save the association in your session
Then, your JS code won't request the form URLs, but a factory script using a token injected into the JS code
If you find the token in your saved association in your session, emit the form and delete the token in your session.
This way, each form can only be requested once by one preceding call of the main page.
Note, that this isn't fully safe too: If a user requests the URL of the main page using wget, he can request each form once.
You can check $_SERVER['HTTP_REFERER'] in your form .php code to see where the request is coming from. An AJAX call will set the HTTP_REFERER to the page it is called from.
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) === false) {
die();
}
It's not a bulletproof solution. Any page that is publicly accessible can be retrieved by an automated script.
I have several pages inside an AJAX directory. I don't want these pages accessible directly so you cannot just type in the URL of the page within the AJAX directory and access it. I "solved" this by using a PHP session on the page that calls it as follows:
Main page:
<?php
session_start();
$_SESSION['download']='ok';
?>
and on the ajax page I have this:
<?php
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;}
?>
The only problem is that if a user goes through the correct process once, the cookie is stored and they can now access the page directly. How do I kill the session once they leave the parent page?
thx
why use session ?
if i understood what you want:
<?php /// Is ajax request var ?
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])=="xmlhttprequest") {
// do your ajax code
} else {
// redirect user to index.php since we do not allow direct script access, unless its ajax called
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit();
}
} ?>
A really simple solution is to open up each of the files you want to protect from direct URL entry & add the following to the top:
<?php if (isset($_GET['ajax']) != true) die();?>
Now get rid of your redirect script since it's useless now. You don't need to use sessions for this. Every time you request a page, use it's direct URL, just add ?ajax=1 to the end of it.
By adding the ?ajax=1, PHP will set a key of 'ajax' to the $_GET global variable with the value of 1. If ?ajax=1 is omitted from the URL then PHP will not set a key of 'ajax' in $_GET and thus when you check if it's set with isset() it will return false, thus the script will die and not output anything. Essentially the page will only output data if ?ajax=1 is at the end of the URL.
Someone could still "spoof" the URL and add '?ajax=1' themselves, but that is not the default behavior for people or web browsers. If you absolutely need to prevent this then it will be much more complicated, e.g. using templates outside of a publicly available folder. Most other "simple" solutions will have the same "spoofing" potential.
There's really no way to accomplish this with a 100% certainty - the problem is, both AJAX and regular web browser calls to your web site are using the same underlying protocol: HTTP. If the integrity and security of your site depends on keeping HTTP clients from requesting a specific URL then your design is wrong.
so how do you prevent people from directly accessing files inside certain directories while still letting the site use them??
Create a controller file. Send all AJAX requests to this controller.
ajax-control.php
<?php
$is_ajax = true;
include "ajaxincludes/test.php";
// ... use the ajax classes/functions ...
ajaxincludes/test.php
<?php
if (!isset($is_ajax) || !$is_ajax)) {
exit("Hey you're not AJAX!");
}
// ... continue with internal ajax logic ...
If clients try to access the file directly at http://mysite/ajaxincludes/test.php they'll get the error message. Accessing http://mysite/ajax-control.php will include the desired file.
I don't think there is a surefire way to do what you are asking, since HTTP request headers can be faked. However, you can use $_SERVER['HTTP_REFERER'] to see if the request appears to be coming from another page on your site.
If the rest of the security on your site is good, the failure of this method would not grant the user access to anything they were not already able to access.
I've never tried this but maybe you could do something with jQuery's .unload() and then call a PHP page to unset() the session.
Why not (on Ajax page):
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;
}
// do whatever you want with "access granted" user
// remove the download flag for this session
unset($_SESSION["download"]);