Allow data transfer only through AJAX, never direct.

Question

Aeonix 71 Posting Whiz

9 Years Ago

I'd like to create /admin.php page, which would have AJAX request, sent over to /core/adm/index.php, that's easy, basic AJAX request will do just that. But I don't want any direct access to /core/adm/index.php, I want it to be accessed only by AJAX request from /admin.php.

Is there a way to forbid any other access? Answer is not, it's never possible to fully block someone off, while you're connected to internet. But is there a way to make it cost quite some effort? If it will cost 5 minutes of effort and jungling through the code, it will probably block off 90% of people out there.

For example, if I want to make someone pay lots of effort to get my logo. I make <img src="pixel.png" id="thelogo" /> and then in CSS, I would assign base64 based image with background-image:;.

Back to my case, is there a way to make someone take lots of effort to get to /core/adm/index.php any other way? Something that will say "Do not let ANYBODY see any data from you. Except, exclusively from localhost/admin.php's AJAX ONLY $_REQUEST[]."

It's not like page itself contains something that can't be revealed (SESSION's will solve that).

php

Edited 9 Years Ago by Aeonix

3 Contributors
8 Replies
227 Views
14 Hours Discussion Span
Latest Post 9 Years Ago Latest Post by Aeonix

pritaeas 2,194 ¯\_(ツ)_/¯

9 Years Ago

I'd probably choose to allow only POST'ing to the script (die on a GET request), and when rendering the page add a token which needs to be sent in the POST header.

Aeonix commented: Hits the spot. +3

pritaeas 2,194 ¯\_(ツ)_/¯

9 Years Ago

For example:

if (count($_POST) == 0) exit();

Edited 9 Years Ago by pritaeas

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

almostbob 866 Retired: passive income ROCKS · Answer 1 · 2015-08-04T11:35:14+00:00

For example, if I want to make someone pay lots of effort to get my logo. I make <img src="pixel.png" id="thelogo" /> and then in CSS, I would assign base64 based image with background-image:;

everything displayed on the page, is downloaded to the user
nothing in any code prevents that
everything visible is accessible
you don't want it copied, don't put it on the page
the "lots of effort" described above, is about 3 seconds

almostbob 866 Retired: passive income ROCKS · Answer 2 · 2015-08-04T11:40:39+00:00

and jazz up the token, relative to request time, ip, browser etc, so the token becomes one-shot. many security tokens are ineffective

Aeonix 71 Posting Whiz · Answer 3 · 2015-08-04T18:28:13+00:00

the "lots of effort" described above, is about 3 seconds

It takes me solid 20 seconds to do that >:D, but even you have to admit, it takes a couple more clicks than just right-click and "Save Image", it tends to turn people down quite easily, not all of 'em of course, but majority.

I'd probably choose to allow only POST'ing to the script (die on a GET request), and when rendering the page add a token which needs to be sent in the POST header.

Very smart, haven't thought of that. It solves the issue. Just one question, how do I die(); on $_GET[]? Could you shake some small example?

Aeonix 71 Posting Whiz · Answer 4 · 2015-08-04T20:45:49+00:00

facepalm So easy, yet I haven't found it out. Someone call my brain's on holiday, I need it. I knew count(); dammit! Makes me look stupid! Never liked this function anyways.

almostbob 866 Retired: passive income ROCKS · Answer 5 · 2015-08-05T00:11:13+00:00

irfanview, probably any graphic viewer that can use photoshop plugins can view base64 as the original image
View source, copy, paste

Aeonix 71 Posting Whiz · Answer 6 · 2015-08-05T02:03:09+00:00

Yes, because everybody these days knows, that they should open, certain part of this flat text into Ifranview,

url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7);

Like I said, everybody knows how to right-click and download the image.
Not everybody knows that they need to copy the part after , into base64 decoder. That's still some slight layer of protection.

Are we really sitting here discussing about how badly we can't protect the image file?

Of course everybody still can access it, but I can also put heavy safe on the street with millions in it, it's way better than having all this cash lying just on the ground. Even though entire safe can be stolen, it takes effort, time and basic knowledge. Making it some kind of protection measurement. Better than having it lying on the ground, where everybody can easily take it.

I hadn't considered how many DON'T know (not as crooked as me?), I spend too much time surrounded by plagiarists. Kudos simple, is good