i have a php file named admin.php. It can be accessed by only X.But when i write the url like localhost/full/admin.php it can be viewed.it means if anyone knows the url he can access it.how can i provide security to this file thus it will be accessed.i am just using mysql and run it using localhost
you should look at the user & session management that php provides you. Look at it here. You can define users and its passwords, and authenticate them. This is the simplest method. Good luck
ACL will be more beneficial in the long run.
you could use something like:
if(strpos($_SERVER['HTTP_REFERER'], "https://mysite/a-page-that-sent-u-here") == true)
and then only allow access from a referrer page.
Or set a Session on one page, or even only allow it from your IP:
$_SERVER['REMOTE_ADDR']
Lots of ways
Related
So I have an issue. I have a server, lets call it (testserver.net). Right now, to change the database, from my application, my app runs "testserver.net\add.php". The problem is anyone can run that and change things in my database. How do I make it that needs some sort of verification before running the code in add.php so no one can just have access to my server? (Like a password or something).
create a token : 1MBASFDFACAUYTUG^%(!#UUIASNSR*_-+LASQWFVSA4QWYUI12670
,save this token safely with in your application.
Whenever you want to call the add.php pass the token like :
testserver.net?token=1MBASFDFACAUYTUG^%(!#UUIASNSR*_-+LASQWFVSA4QWYUI12670
add.php
$secret = $_POST['secret']; //use post or get
if($secret != $mySavedSecret){
die('intruder!!')
}
Place you add.php file in separate folder and password protect it, or you may use Password protect a specific URL solution
You need to perform Authentication followed by Authorization. In PHP there are many frameworks which support this.
pls check this for basic authentication
https://book.cakephp.org/2.0/en/tutorials-and-examples/blog-auth-example/auth.html
or you can use popular frameworks and follow their tutorials to perform this.
check this php micro framework Slim
In php cURL usage, what actually is CURLOPT_USERPWD working? I can see in many examples, like:
curl_setopt($ch,CURLOPT_USERPWD,"my_username:my_password");
.. but how to do at the Server Side? What actually are those username and password? Of course since i want to protect my PHP API page at Server Side, is that the best way or what is the best way to protect it please?
Ideally, you would have a separate config class that contained your user name and password. Then you would create a new version of that config class in your file with the cURL commands. Then you would pass the username and password as variables to the cURL commands. The cURL information will not be visible anyway as long as it is not echoed or printed. Even if you just put it in directly it would be hidden, but having it in a config file will allow you to change the values without changing the main page that contains the cURL commands.
I have created simple web service for my website that generates some json based on request, using php, but I want it to be protected so that only I can use it. I mean it should be available for my website only. No one without my permission should be able to use that json on their website.
What is the best method for that in php?
You could try using HTTP_REFERRER header field, but it's easily spoofed and therefore insecure.
How about using PHP sessions?
Set some variable in session in your main page script, then check for its existence when processing API requests; if the variable in session is not set, don't serve the content.
Give OAuth a try, it is widely used for this propose.
Only allow your server's IP to access the service. Or do you mean you're calling it from the browser?
Then you'd have to pass some kind of token to the service, proving that you're authenticated to call it.
Use a cookie to validate, this way you are independent from your ip address.
I have a loginform where users can login with two different accounts - one is a SolarisLDAP account and the other is an Active Directory account.
When the user tries to log in I want to find out which account he uses (which is not the problem).
If he's using the SolarisLDAP account, the authentication is done in PHP.
But if it is an AD account it must be passed to Apache (because I have to use the mod_auth_kerb to authenticate against our AD).
I wonder if this is possible in any way. Could I just set $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], or $_SERVER['REMOTE_USER'], and that's it?
Or would it be a possibility to kinda do it via the headers or a redirect?
Hope you understand what I'm trying to do..
Cheers
I wonder if this is possible in any way.
Unfortunately - no.
Also note that passing whatever variables from PHP to Apache makes no sense in that context.
It is not PHP but browser you want to authenticate with Apache, and, obviously, you have no control of.
This depends on which environment variables apache does set for the request. Do a
var_dump($_SERVER);
to get a list of all available ones. Go through that list and find out which ones are related to the authentication. It's probably something non-standard, this is a general list: http://php.net/_SERVER, compare it with your var_dump output.
Also this might depend on which Server-API (SAPI) you're using with PHPDocs.
I'm not sure how to describe this, but basically I have a PHP class file:
class HelloHello {
public function getSomeData($input_parameter){
// code to retrieve data from the database
}
public function deleteSomeData($input_parameter){
// code to delete data from the database
}
}
This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.
Is this a legitimate concern, or this can't be done?
If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.
Instead of trying to stop others from accessing your php file, focus on making it more secure.
If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.
You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.
You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.
For some basic mathematical foundations to this, there's quite some documentation online.