How to deny direct access by url?
Moderator: General Moderators
How to deny direct access by url?
Hi, my problem is that I have a lot of php pages that need to be called by other specified php pages to work properly. This means that if someone try to access these pages directly by typing the url of these pages, he can do some damages. If I set session variable that have to be checked on every protected page I can get rid of this problem, but only a little. There's a lot of solution to crack my system.
Any ideas?
Any ideas?
- n00b Saibot
- DevNet Resident
- Posts: 1452
- Joined: Fri Dec 24, 2004 2:59 am
- Location: Lucknow, UP, India
- Contact:
Re: How to deny direct access by url?
There is no point securing an inherently insecure system. This is not the correct way an app should be coded imo...evilclone wrote:There's a lot of solution to crack my system.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
when I want to disallow direct access of a script I use something like this:
Code: Select all
if($_SERVER['PATH_TRANSLATED'] == __FILE__) {
die();
}The variable $_SERVER['PATH_TRANSLATED'] give me nothing in every situation @_@feyd wrote:when I want to disallow direct access of a script I use something like this:Code: Select all
if($_SERVER['PATH_TRANSLATED'] == __FILE__) { die(); }
@n00b Saibot: Yeah, maybe you're right but I started programming server side 2 weeks ago, so I donno all the tricks.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
the translated path may not be getting set by your server.. you can possibly use $_SERVER['SCRIPT_NAME'] with realpath() as an alternate.
I have a solutionf or you man...
This is a easy way to secure your system...
first on your page that is calling other pages, use this command..
make sure to put it at the top of your script, it goes where session commands are set
that will define a variable named varname..
now on your pages you dont want direct access too put this code
make sure this is the FIRST thing that is on the file!!!!
this should secure your pages you dont want to be accessed from typing it in the url without going through another page first.
what its doing is its defining the variable X for only that page...
and its checking if X is defined... if its not, well then it kills the script from executing, but if it is defined(going through the right page) then it continues normally...
This is a easy way to secure your system...
first on your page that is calling other pages, use this command..
make sure to put it at the top of your script, it goes where session commands are set
Code: Select all
//session variables...
define("X",null);
//your page...now on your pages you dont want direct access too put this code
make sure this is the FIRST thing that is on the file!!!!
Code: Select all
if(!defined("X")){
die("Hacking attempt...");//or you could redirect, whatever you want....
}
//your programwhat its doing is its defining the variable X for only that page...
and its checking if X is defined... if its not, well then it kills the script from executing, but if it is defined(going through the right page) then it continues normally...