Non-Executable URL
Moderator: General Moderators
-
asterix299
- Forum Newbie
- Posts: 7
- Joined: Sun Jan 03, 2010 9:02 pm
Non-Executable URL
Hello,
I have a few pages that load another php page into divs dynamically through AJAX. The script makes a call to a php file (fetch.php) that includes the page that the script requested. I would like to make it so that these pages can ONLY be loaded by fetch.php, not by themselves by typing in their URL.
So say I have the file "example.php," I want to make it so it can only be executed if included by fetch.php, not by typing in "example.com/example.php."
I have a few pages that load another php page into divs dynamically through AJAX. The script makes a call to a php file (fetch.php) that includes the page that the script requested. I would like to make it so that these pages can ONLY be loaded by fetch.php, not by themselves by typing in their URL.
So say I have the file "example.php," I want to make it so it can only be executed if included by fetch.php, not by typing in "example.com/example.php."
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Non-Executable URL
Often times people do it like this:
fetch.php
example.php
fetch.php
Code: Select all
define('FETCHING', true);
//include stuffCode: Select all
if(!defined('FETCHING')) { die(); }
//whatever stuffmysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
asterix299
- Forum Newbie
- Posts: 7
- Joined: Sun Jan 03, 2010 9:02 pm
Re: Non-Executable URL
Ah good deal. For some reason I always get into such complex problems and forget there are simple solutions. Thanks.
Re: Non-Executable URL
I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
Or is there something that I don't get?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Non-Executable URL
By including a file that has a defined constant, and checking against the existence of the constant, will make the file not executable directly. The best approach to removing access publicly to this file is to put it outside your webroot, and including it as you are doing so currently.
Re: Non-Executable URL
But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.
Unless you mean something else.
Unless you mean something else.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Non-Executable URL
Right. I was referring to putting files you do not want public should be placed outside the document root.Alkis wrote:But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Non-Executable URL
The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
asterix299
- Forum Newbie
- Posts: 7
- Joined: Sun Jan 03, 2010 9:02 pm
Re: Non-Executable URL
Correct. The javascript accesses fetch.php, therefore it never needs to communicate directly with the file.AbraCadaver wrote:The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
As for the outside web root idea, I think the constant idea is actually better. I changed the behavior from the suggestion to use header() to relocate the user to a 404 page. Thus the illusion of a non-existing file, and I don't have to scatter files outside my webroot.