How to check if the user has entered the page by clicking on the button and not from copy pasting the URL ?
For example, if a user has clicked on Register I want him/her to go to that page only by clicking the Register button and not by copy pasting the link.
Also, is it a good practice to give the page name on the address bar or should I have to hide the page. If I am hiding the page will I be able to do that ?
For example, if localhost/projname/register.php. I don't want people to see the register or login or about or anything on the address bar except localhost/projname.
Maybe check if he used $_POST, something like:
<?php
if($_SERVER['REQUEST_METHOD'] == "POST"){
// do ya thing
}
else
{
?>
<form action="index.php" method="post">
are you sure? <input type="submit" value="yes">
</form>
<?php
}
?>
You can use the HTTP_REFERER data of the $_SERVER reserved variable to see where did the user come from.
if(empty($_SERVER['HTTP_REFERER'])) {
// if we are here, the user copy pasted the url.
}
As for your second question, you can't totally "hide the page" like you're suggesting. The web server must know which page to show, so the browser must know has well.
You can however obfuscate the page name. For example you can call the page "sfhjgdjkfg" so the user won't be able to know that this is the "registering" page. But I think it's really a bad idea, why in the first place want you to hide this ?
One method is to use $_SERVER['HTTP_REFERER'] to verify that they clicked a link from your site, but this method isn't fool-proof as many Firewall and Anti-virus suites will remove the Referrer information.
A better method would be to generate a temporary session token on the pages of your site, and check for that token when the Register page is opened.
If your form uses POST parameters, the browser will pass on some POST data. You could then check
if (empty($_POST)) {
//didn't click the button, just went straight to the url
}else{
//did click the button
}
Related
I have a simple controller which shows confirmations to be approved.When the users press register button confirmation page is shown.
But when users enter url as ..../confirmation without registering , the page is shown. I dont want it to be shown without registering.
in asp.net mvc4 this can be done with ChildActionOnly anotation.
Is it possible?
First make sure you have the session started:
<?php session_start(); ?>
OK, this seems to be quite simple - after registration, and before you redirect a user to the confirmation page, do something like this (this is pseudo-code naturally). Let's say the $user->registered() returns TRUE/FALSE as a result of registration, and $user->hasConfirmedRegistration() returns TRUE/FALSE as a result of reistration confirmation. So you should do something like:
//this should be in your registration controller/function, i.e. /users/register
if ($user->registered()) {
$_SESSION['showConfirmation'] = TRUE;
}
Then you should put this in the beggining of your function, to prevent showing your confirmation page to non-registered users.
//This should be in your confirmation controller/function,
//i.e. /users/confirm_registration:
//if user has not registered, do not show the page
if (! $_SESSION['showConfirmation']) {
header('Location: /'); // redirect to main page
return;
}
// -- enter code that handles storing confirmation, handling $_GET/$_POST etc. --
//then unset session variable, which is no longer needed
if ($user->hasConfirmedRegistration()) {
unset($_SESSION['showConfirmation']);
}
I dont fully understand what you're trying to achieve without seeing your code. But it sounds like you dont want someone to beable to access a specific page without performing an action first.
Something like this might help you.
<?php
session_start();
if(!session_is_registered(somesessionamehere)){
header("location:form.php");
}
?>
Register a session when the user submits the form, then when they go to that page it checks to see if the session is registered. If it isn't then it redirects to the previous page.
Have a look at this URL for a login based example: http://www.phpeasystep.com/phptu/6.html
As I understand, you need to check, on your confirmation page, that the user has just send registration data.
For example, if you have an input field named "login" in your form, you can check the presence and value of "login" in either $_REQUEST, $_POST or $_GET, depending on your form "method" attribute. If it's not there, the form has not been posted and you can assume that the user just entered the URL. You can redirect him to the login page.
<form method="post" action="/confirmation">
<input type="text" name="login" />
[...]
<input type="submit" />
</form>
<?php
if (!isset($_POST["login"])) {
// redirect
header("HTTP/1.0 302 Found");
header("Location: /login");
return;
}
// show confirmation
// [...]
I would like to add sesame and verify it when user come to action page example:
if(isset($_POST["contact-us"])) {
//some code
}elseif(isset($_POST["site-feedback"])) {
//some code
}else{get_error('form');}
my current thought is to add $_SESSION["SESAMEOPEN"]["contact-us"]='uniquesalt' for say, contact-us.php then the form send to the action page to verify.
The problem I faced is : for instance the user open another page while visiting contact-us.php, the user can still reach action page by manipulate a input type="submit" name="contact-us". While method of checking redirect page seems to be able to be spoofed too.
Whats the main-stream way of verifying the action page? What I want is the user can only reach the action.php from the specific form.php .
I have a link on the page that opens a contact form in a modal window.
How can I verify that the user clicked on the link to access the contact form, and did not go to the page directly. I don't want users or bots inadvertently browsing to that page.
Thanks in advance!
You can check for $_SERVER['X_HTTP_REQUESTED_WITH'] header, which will be xmlhttprequest whenever it's an ajax request
You can use the referral url (you can access this url in PHP using $_SERVER["HTTP_REFERER"]) but you can't rely on it. First because it can be changed using a very simple script and second because that field is not always filled.
Another method is to use session to store the last visited page and then check this in your contact page. Anyway this method will also fail if the user see another page before access to the contact form but the page which you want the users start with was already loaded.
You can send a variable with it like
Contact Me
and in the modal test weather it set or not
if(isset($_GET['co'])):
//show the form
else:
//redirect
endif;
or you can use jquery to select that link and sends a variable posted with it like
Contact Me
$('.contact').click(function(){
$.post( 'contact.php', { direct: 'no'},function()
{
//call modal from here
}
);
});
then test if direct = no
if($_POST['direct'] == 'no'):
//show the form
else:
//redirect
endif;
and the jquery solution is more reliable
Sorry I was wrong
Have a form with a hidden field that contains a token, and validate that token with the session on postback.
so what I would like to do is have a link on an external website (example: externalsite.com) that will go to mywebsite.com/page.php, and I need to make it so ONLY clicking on the link from externalsite.com will allow you to access mywebsite.com/page.php.
The user cannot simply type it in their browser to get there, how would I go about doing this?
There's not a way to do this in a 100% secure manner. The browser typically sends a Referrer header with each request specifying where the use came from, but this is easily faked.
If possible, I would suggest having the externalsite.com issue a request to an authenticated web service on mywebsite.com for a token which is appended to the link with a reasonably short expiry time (long enough to allow the user to click on the link, but not so long that it can be shared around). Then, when the page on mywebsite.com loads, it should check for a valid token.
Given that no method is 100% secure, I'll show you a very easy, overtly insecure method that will work in any framework because it's pure JavaScript. Keep in mind that this is designed to work only as a general rule and is in no way "hacker proof".
Simply add this script to your mywebsite.com/page.php. It will redirect any request that isn't referred by a page on externalside.com.
var referrer = document.referrer;
referrer = referrer.toLowerCase();
if (referrer.indexOf("/externalsite.com") == -1) && referrer.indexOf(".externalsite.com") == -1) {
window.location.href = "http://mysite.com/accessdenied.php"
} else {
document.findElementById("myBody").style.display = "block";
}
To get around the whole "if you disable JavaScript, this doesn't work, you idiot" dilemma, add id="myBody" style="display: none;" to your page's <body> tag: the page will not be displayed unless JavaScript is enabled and validates the referring URL. Also, I'm not an idiot.
There are several ways to bypass this method: spoof the referring url, use FireBug to remove display: none, view the source of the page and recreate it on your local machine, etc. This method is more of a deterrent than a security feature.
You really can't make it 100% secure, and (probably) definitely not with a link (unless you use JavaScript to submit the form with a link in method 1 below). But there are some ways that might work for you.
Method 1
You could submit a form to the page with a button (and thats it - just the button) and then on the page, check if the correct form was submitted. But this is still not foolproof.
External site:
<form action="http://mywebsite.com/page.php" method="post">
<input type="hidden" name="pagesecuredsdjp91dx9x8yhr4kbbki" />
<input type="submit" value="Click here" />
</form>
Top of page.php:
<?php
if(!$_POST['pagesecuredsdjp91dx9x8yhr4kbbki']) {
die("Sorry, you cannot access this page.");
}
else {
//continue page
}
?>
I don't think you can just make a link do this.
Method 2
Pass a variable in the URL, but this is not recommended as the user could add it in the URL to get in.
Top of page.php:
<?php
if(!$_GET['securedpageaccess']) {
die("Sorry, you cannot access this page");
}
else {
//continue page
}
?>
External site:
Cick here
The random characters in the URL is just something put in there and isn't mandatory.
I recommend using the first method if you use either of them.
I hope this helps.
I've dealt with a system before that provides a link for the partner site, this link is used to generates a new temporary link for the user to be redirected to.
the first link (not the temporary one) can only be accessed by authorized IP addresses. This means only the partner site site can use the link.
Newby here.
Could someone show me an example of the code needed to do the following:
User pushes a button on my web site (there is no information for him to input, and no form, he just clicks on a button). I have found the following code on another post, but don't know if it is correct (I am also getting a syntax error on it):
<form action="php_file.php"><input type="submit" value="Click"></form>
The author of the above code said "Insert your PHP-Code into the file php_file.php and click the button, your file will be opened. Insert header("Location: html_file.html"); at the end of your php-file to get back to the page."
This click of the button needs to instigate the programming to grab the current URL and previous URL and insert them into the mysql database on my server. I have "PHP_SELF" and "HTTP_REFERER", but still need to get the results into mysql.
I would like to do this using only html, PHP and mysql, if possible.
Thanks to everyone for any help!
if your first file happen to be a PHP one, write this HTML form there.
<form action="php_file.php" method="POST">
<input type="hidden" name="previous" value="<?=urlencode($_SERVER['REQUEST_URI'])?>">
<input type="submit" value="Click">
</form>
and then in the php_file.php
<?
$current = $_SERVER['REQUEST_URI'];
$previous = $_POST['previous'];
though both variables will contain only partial url, without host name, schema and, possible, port. it's usually enough but if you need these absent parts, you'll have to add them manually.
as for the writing info into database and particular PHP syntax rules you have to find yourself a tutorial, because this site is devoted to answering questions, not online education nor doing someone's job for free.
With PHP, you can manage it with cookie session, first thing you'll need to do is start a session and then define the space where you'll store the URL information e.g: $_SESSION["url"]
session_start();
$_SESSION["url"]=$_SERVER['REQUEST_URI'];
And whenever you want to go to that particular page, add the header:
header('location: ' .$_SESSION["url"]. '');
Current:
$currentUrl = $_SERVER["PHP_SELF"];
Previous:
$previousUrl = $_SERVER['HTTP_REFERER'];
Note that some users may have browser preferences set that keep $_SERVER['HTTP_REFERER'] from being set, so it's possible that it would come back empty.