I have three pages:
index.html
getjavascript.php?id=index
index.js
index.html includes the script
'getjavascript.php?id=index'
and getjavascript dynamically gets the script index.js.
Is there any way to prevent external users from directly accessing
getjavascript.php
using PHP?
index.js is in a hidden location.
Thanks,
I'm assuming that index.html contains an include similar to the snippet below (assumption is that we're doing a client-side pull of this javascript).
<script type="text/JavaScript" src="getjavascript.php?id=index" />
If your intent is to hide secrets within the javascript file, there is no way of stopping a user from retrieving the contents. They can trivially use developer tools to view the contents. Furthermore, because the browser needs to download the file, there's not really a way to distinguish between a user accessing directly versus a browser retrieving this file.
If your intent is to obfuscate the fact that your server is using PHP, you can use mod_rewrite to remove the extension.
Server side includes are a different story and modifications to .htaccess or moving this file outside of your webroot directory would work.
It's possible by using htaccess.
Redirect /getjavascript.php http://example.com/newdirectory/
Now I see two ways to solve your problem
Using Apache RewriteRule directive. This way will allow you to hide real URL name in your html file
Try to use additional parameter in getjavascript.php that detect that if this url called directly from browser (not from html form or link).
Put the include script outside of the document root. For example, if you have your root in public_html, create a folder outside public_html to put your included files in. That way, your script can read them but random people on the internet can't.
Related
I'm using the code in Tom's response here. However I have a script that automatically generates .html files into my public_html folder. These files are then loaded by my .php file, which looks something like this:
<?php
require('./access.php');
include('./secret_information.html');
?>
However the "secret_information.html" file is viewable by anyone without the password. I am running an Apache web server. As I understand, all html code / images to be used on a website need to be in the public_html folder. So how can I hide this information? Do I need to setup my automated scripts to generate .php files rather than .html or is there another solution?
include can access any file, as long as it is accessible by the web server.
So you can put secret_information.html anywhere in the file system, preferably outside of the document root or public_html.
If you must keep the file inside your publicly accessible web for some reason, you may use Apache's Authentication and Authorization facility.
I am attempting to create a script in PHP which reads and includes all files from a directory which is above the domain name directory.
For example:
My domain name is example.com and located in /var/www/html/example.com/ and I want /var/www/html/example.com/file.php to be able to read from:
/var/www/html/videos/video1/ which contains index.html and the folders:
/var/www/html/videos/video1/images/ and /var/www/html/videos/video1/scripts/
e.g. www.example.com/file.php?dir=/var/www/html/videos/video1/index.html
If I use include (/var/www/html/videos/video1/index.html) it will only call the html file, which is done perfectly. However all the files in images folder and the scripts folders are not able to load.
I don't want to copy or call each file separately. I want to be able to only need to call index.html and then make the browser think it's in that directory and automatically read any file within there.
I know this works because Moodle uses this method (in file.php) to protect learning files by storing them in a moodledata folder which is one level above the public folder.
I've had a look but cannot make sense of it and I've searched the Internet to achieve the method I have explained above but have not had any success.
The reason I want to do this is to avoid having duplicate video files on the server for other sites that are hosted on the same server.
Many thanks in advance and for taking the time to assist.
$dir = realpath(dirname(__FILE__)."/../");
This would be the directory you are looking for. Require files relative to that.
To output a different file look at readfile which outputs straight to the buffer or perhaps use file_get_contents which can be held in a variable.
See if you can load an image in the browser directly, if you can it's probably a problem with your code, if you can't it may be a rights issue.
They have some php code within (if, endif, variables), but essentially they are html files.
Do you think is a good idea to use the .html extension and prevent direct access to them trough .htaccess, so the php code is not visible to anyone ?
Is it safe?
can you test the script?
As far as I know the PHP is just server-side so after the server "do its thing" it doesn't show on the users computer (when he tries to see the source code).
Javascript and HTML are displayed but not the php.
I have used the .htaccess file to block some other files in the folder such as the DB credentials and such that I had named .inc (for include). If you block the html with the htaccess noone is going to be able to see the webpage.
I hope I understood it right! (And clarified it as well)
Just have an .htaccess with deny from all in the views folder... ;p
Tho if you have files like images or css that you want loaded from that theme folder then by all means rename the view to .php and put as this on the first line:
if (!defined("RUN")){die('No direct access');}
Obviously define('RUN',true); in your config.
I want to deny visitors access to pages but still use the pages. How can I:
~ Make a page unviewable but allow it to process ajax requests.
~ Make a PHP file unviewable but include it in scripts.
It seems I need htaccess. I tried using it but it stopped me from using the file as an include.
For the ajax only thing, it seems I can use this in the ajax-only page:
<?php
$AJAX = (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
$_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest');
if ($AJAX){
// echo ajax code.
}
?>
Is this reliable?
TAGS: only via ajax
One way to accomplish your second question about making it so a script is available for server-side inclusion and usage but not accessible from a client is to add this to an .htaccess file in the folder containing the scripts you wish to protect in this way:
deny from all
Try browsing to the script now and you should not be able to get to it. This works for the entire directory the .htaccess file is placed in.
Another way of 'shielding' the php file from access by clients through the web server like this is by placing the php files in a directory outside your wwwroot/public_html.
In your PHP config you'll have to add this dir to your include-search path, or simply include it via the correct relative path, or by using absolute paths.
For example, if you have root_containing_folder/wwwroot/index.php and root_containing_folder/app/core.php, in index.php you could have
require_once('../app/core.php');
and core would be included, but a browser could never get to core.php on its own. (If they could, it would have to be through a URL like www.facing-site.com/../app/core.php -- which your web server should never allow!)
You can't do those things: when an script makes an AJAX request, it's the user's browser that sends the request. If you want client-side scripts to see your content, browsers must be able to see it.
You can apply some security-through-obscurity, for example by putting some kind of auth token in the script. This won't give you much protection, as all a user has to do is read the JS to get the token, but it will stop casual visitors from poking around. Your 'if XHR' is effectively doing this - a browser won't normally send that header if the address is put in the address bar, but a user can easily get the same effect outside of your AJAX code.
Assuming you have only the URL to a file (hosted on the same server as the app) that has been rewritten via mod_rewrite rules.
How would you read the contents of that file with PHP without having direct access to a .htaccess file or the rewrite rules used to building the original URL?
I'm trying to extract all the script tags that have the "src" attribute set, retrieve the contents of the target file, merge all of them into one big javascript file, minify it and then serve that one instead.
The problem is that reading all of the files via file_get_contents seems to slow the page down, so I was looking at alternatives and if I would be able to somehow read the files directly from the file system without having to generate other requests in the background, but to do this, I would have to find out the path to the files and some are accessed via URLs that have been rewritten.
You can't include it as if it were the original PHP, only get the results of the PHP's execution itself.
If you've got fopen wrappers on, this is as easy as using require, include or file_get_contents on the rewritten URL. Otherwise you have fsockopen and curl as options to create the HTTP request for the result.
As you cannot say how the request would be handled, the only possible solution is to send a HTTP request to that server. But that would only get you the output of that file/script.
PHP lays behind apache and has file access on file-system level using fopen-like or include-like etc... functions. Rewrite module won't work for this access, because these functions use OS file access routines but not apache.
There's no way to do this, but implementing in php-script the same rules of URL-rewriting as you have in .htaccess, because apache-rewriting and php file access know nothing about each other and are on comletely different layers of web-application.
AFTER EDIT: The only way - imlement your rewrite rules in php script and use file system php access after parsing the URLs via php (not rewrite module).