Page 1 of 1
Non-Executable URL
Posted: Fri Mar 26, 2010 3:06 pm
by asterix299
Hello,
I have a few pages that load another php page into divs dynamically through AJAX. The script makes a call to a php file (fetch.php) that includes the page that the script requested. I would like to make it so that these pages can ONLY be loaded by fetch.php, not by themselves by typing in their URL.
So say I have the file "example.php," I want to make it so it can only be executed if included by fetch.php, not by typing in "example.com/example.php."
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 3:31 pm
by AbraCadaver
Often times people do it like this:
fetch.php
Code: Select all
define('FETCHING', true);
//include stuff
example.php
Code: Select all
if(!defined('FETCHING')) { die(); }
//whatever stuff
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 3:34 pm
by asterix299
Ah good deal. For some reason I always get into such complex problems and forget there are simple solutions. Thanks.
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 8:36 pm
by Alkis
I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 8:41 pm
by John Cartwright
By including a file that has a defined constant, and checking against the existence of the constant, will make the file not executable directly. The best approach to removing access publicly to this file is to put it outside your webroot, and including it as you are doing so currently.
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 8:52 pm
by Alkis
But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.
Unless you mean something else.
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 9:15 pm
by John Cartwright
Alkis wrote:But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.
Right. I was referring to putting files you
do not want public should be placed outside the document root.
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 10:30 pm
by AbraCadaver
Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.
Re: Non-Executable URL
Posted: Fri Mar 26, 2010 10:59 pm
by asterix299
AbraCadaver wrote:Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.
Or is there something that I don't get?
The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.
Correct. The javascript accesses fetch.php, therefore it never needs to communicate directly with the file.
As for the outside web root idea, I think the constant idea is actually better. I changed the behavior from the suggestion to use header() to relocate the user to a 404 page. Thus the illusion of a non-existing file, and I don't have to scatter files outside my webroot.