Below is a javascript snippet that I am using as part of a AJAX script. How do I prevent user_back_end_friends.php from being accessed directly? I don't want people to be able to go to domain/user_back_end_friends.php and see a list of friends.
Javascript Code:
<script type="text/javascript">
$(document).ready(function() {
$("#user_friends").tokenInput("/user_back_end_friends.php", {
theme: "sometheme", userid: "<?php echo $id; ?>"
});
});
</script>
This is what I found but not sure how to implement it with the javascript code above:
I use this in the page I need to call it in:
$included=1;include("user_back_end_friends.php");
When I have to prevent direct access I use:
if(!$included){ die("Error"); }
But how do I add this $included part of the script in my javascript code?
Below is a javascript snippet that I am using as part of a AJAX script. How do I prevent user_back_end_friends.php from being accessed directly? I don't want people to be able to go to domain./user_back_end_friends.php and see a list of friends.
Javascript Code:
<script type="text/javascript">
$(document).ready(function() {
$("#user_friends").tokenInput("/user_back_end_friends.php", {
theme: "sometheme", userid: "<?php echo $id; ?>"
});
});
</script>
This is what I found but not sure how to implement it with the javascript code above:
I use this in the page I need to call it in:
$included=1;include("user_back_end_friends.php");
When I have to prevent direct access I use:
if(!$included){ die("Error"); }
But how do I add this $included part of the script in my javascript code?
Share Improve this question edited May 15, 2012 at 3:12 Nathaniel Ford 21.3k20 gold badges96 silver badges109 bronze badges asked May 15, 2012 at 1:53 arielariel 3,0827 gold badges28 silver badges34 bronze badges 2-
I don't see how the include trick is going to work since the jQuery call to
user_back_end_friends.phpis a fresh one and won't have any variables from the current environment in it. I don't know of a foolproof way of preventing someone from accessinguser_back_end_friends.phpdirectly except by checking the origin of the request - should be localhost in this case. – Ansari Commented May 15, 2012 at 2:00 - possible duplicate of php script prevent direct access – Marc B Commented May 15, 2012 at 2:01
3 Answers
Reset to default 11There is no point in protecting javascript code, you need to protect only the server-side code.
Anyway, I think your approach is not the right one; if you already have a logged-in user / a user ID, I would just use the user ID from the session instead of a user ID that is supplied by the javascript. That way there is no way anybody can tamper with it.
So you could start your page with:
session_start();
if (isset($_SESSION['user_id'))
{
// do stuff with the user ID
}
else
{
// display error message?
}
You cannot pletely block access to this script by the very nature of the web.
You can check for referrer information, input validation, you could create a session variable on the parent page that's checked on the child page.
I have done the following. Note that this is NOT the most secure, as other answers have mentioned, you can't pletely block access to this script (link to an easy bypass is provided), but for my simple purposes this that worked very well -
define('_REFERURL', 'http://www.example.'); // This is the full URL of your domain that will be calling your PHP script(s)
Then create a function that checks the referring URL (which should be from your domain)
function allow_user()
{
if ($_SERVER['HTTP_REFERER'] == _REFERURL)
{
return true;
}
else
{
return false;
}
}
Use:
if (allow_user())
{
// Do things
}
else
{
// Alert, direct access attempted
}
Easy by pass: http://www.datatrendsoftware./spoof.html