prevent direct access to a file

Question

Buppy 0 Junior Poster in Training

13 Years Ago

Hi,

I have a file index.php with script on a link, which opens new window with myfile.php, using JS window.open method. The page itself is based on PHP. What i need to do is to prevent direct access to that JS popup window file. For example, if i press a link in the index.php file like "Press here to open the window", it opens that window with myfile.php inside. If i type it directly - myserver.com/myfile.php, it should display an error or something. With includes it's easy to prevent, however, this is a new window and it does not receive other information than $_GET[] from index.php file, and $_GET[] is easy to surpass.

Thanks

php

4 Contributors
5 Replies
218 Views
2 Days Discussion Span
Latest Post 13 Years Ago Latest Post by Buppy

mschroeder 251 Bestower of Knowledge

13 Years Ago

Speculating here, but you could possibly make it check the referrer. I'm not sure if window.open will pass a referrer though.

charlybones 14 Junior Poster in Training

13 Years Ago

The only way that I've prevented direct access before is by using the session variables.

You have to use session_start(); on your index.php. Then in the file "myfile.php" do a check

if(!isset($_SESSION['username']))
header("Location: index.php");

to redirect to index.php.

I suggest you look online on how to set the session variables for an anonymous user etc.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Buppy 0 Junior Poster in Training · Answer 1 · 2011-02-03T19:27:22+00:00

Buppy 0 Junior Poster in Training

13 Years Ago

Small bump. Anyone has any ideas?

diafol · Answer 2 · 2011-02-04T04:26:46+00:00

Why don't you just have a link set with target="_blank"?

The referrer will then be clear (http://www.mysite.com/index.php).

<?php
if(!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != "http://www.mysite.com/index.php"){
  echo "Smart Alec - what you trying to do?"
}else{
...display page...
}
?>

You may be tempted to just check against index.php, using basename(), but I think that would open the link to easy spoofing. There are ways around HTTP_REFERER anyway - a combination of this with a session variable may be useful. You don't have to have a login system to use sessions though.

Buppy 0 Junior Poster in Training · Answer 3 · 2011-02-04T17:55:11+00:00

Even this is a window.open method, the $_SERVER thing works perfectly.

Thanks