|
PHP - How To Prevent Direct Access To The File Called Via Ajax?
I use jQuery when adding messages. However, the file can be called directly. For example: includes/add_comment.php?id=2
So, I can make a form and call this file directly to add a message. ID is user id and form can be submited with HTML form wherever are located. How to prevent direct access to the file when called through a Ajax? Similar TutorialsA shipping vendor (like Stamps.Com) provides me a Printable Shipping Label to display on my website for Visitors to print.
When Visitors come to my page, my PHP code:
$Shipping_Label_Data = $LabelVendor->data[0]->contents; // vendor's API echo '<img src="/Label-Directory/'.$Order_Number.'.png" />'; Later I realized the security flaw: any snooper can fish for other Visitor's labels in my Label directory. What is the best way to prevent the display of other people's labels? Thank you!! I am using the debug_backtrace() php function to prevent direct access to admin files.
i simply place the code below at the top of a page eg config.php and direct access via the browser is prevented.
Is it a safe practice or is there a better way of doing it?
<?php
debug_backtrace() || die ("Direct access to this resource is forbidden");
?>
Thanks
I want to perform a php process initiated by AJAX according to the method described in http://www.w3schools.com/PHP/php_ajax_database.asp with this line Code: [Select] xmlhttp.open("GET","getuser.php?q="+str,true); the php process in getuser.php is initiated. But how I can restrict direct access to getuser.php? If someone visit getuser.php?q=something; the process will be started for "something". I want to run the getuser.php process only and only when it is initiated from my main page. I've got a question, I thought I'd be able to do this fairly easily. I don't want to do an .htaccess solution also. I tried this, define('ACCESS', TRUE); // then on other page if(!defined('ACCESS'){die('Direct access not allowed.');} Need some assistance, appreciated. I have solved this now. please it is very important!! I have a script (main file is index.php) that is called into an iframe src via an url reference... http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php works perfectly!!.. How can i prevent someone getting direct url access to the file? if someone were to take the url: http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php and place it into the address bar, they have access to the file... points to note: -i have no database for this script, -the iframe is called directly into a html file, - i dont know the userfolder or the emailfolder names, - and the index.php is linked to several other .php and .js and .html files in different folders.... // i can add something like this to these file:(i found this on the net). Add this to the page that you want to only be included <?php if(!defined('MyConst'){die('Direct access not premitted');} ?> then on the pages that include it add <?php define('MyConst', TRUE); ?> this will prevent the files being accessed, but then i cant access the file via the iframe url.. please any ideas??? best regards Tony I have my template files and some functions in my server which are available for direct reach. like ; my "index.php" file includes "loginpage.php" form which is ok when I enter www.site.com/index.php but also when I enter to www.site.com/loginpage.php it works and shows me just login page. So this is what I dont want. How can I prevent to reach the files directly like this, I want them to work just for other pages of my website, not for directly seeing. By the way can this problem also be solved by hosting settings or mod_rewrite ? Hello, I want to prevent this page from being directly accessed by all via just putting its address in the address bar: http://www.mysite.com/page1/page2/signup.php I want to allow to be accessed this page only via clicking on a link in a particular page like: http://www.mysite.com/activate/index.php Please help me. I have a php form for uploading file as the action sends to upload.php. How I can avoid any kind of direct access to upload.php? I want to kill the php process at the first line without performing the remaining code (it is very critical for me as I have a counter), except calls coming from form.php. Hello everyone, What is the best method of blocking direct access to certain files like functions, modules, and etc? I was trying the if ( ! defined('BASEPATH')) exit('No direct script access allowed');method but I feel like there must be a more convenient/better way. Any suggestions are appreciated, thank you. Hi, I am struggling to find an answer here.. If for example my iframe source, file.php has a initcheck/direct access block, how can i still have access to it in an iframe? <center><iframe name="frame1" id="frame1" style="width: 100%; height: 120px; z-index: 0; " scrolling="0" src="file.php" frameborder="0"></iframe></center> //then the file.php has an initcheck and itself includes multiple other files so i cant remove the initcheck.. //header of file.php // ################################################################ defined( '_MYAPP_INITCHECK' ) or die( '' ); // ################################################################ I was asked to make new thread for this, so how do I use a session or something to restrict access to a page.....like if accounttype=Admin, stay here, all others go away......do you need to see code, or can you just give me an example....... Hiya, Firstly, I'm a complete novice, apologies! But I have got my upload.php working which is nice. I will post the code below. However, I would now like to restrict the file size and file type to only word documents. I currently have a restriction of 200KB but it's not working - no idea why as I've looked at other similar codes and they look the same. Also, just to complicate things - can I stop files overwriting each other when uploaded? At the moment, if 2 people upload files with the same name one will overwrite the other. Is this too many questions in 1? Any help is very much appreciated! Code below: Code: [Select] <form enctype="multipart/form-data" action="careers.php" method="POST"> Please choose a file: <input name="uploaded" type="file" /><br /> <input type="submit" value="Upload" /> </form> <?php $target = "upload/"; $target = $target . basename( $_FILES['uploaded']['name']) ; $ok=1; //This is our size condition if ($uploaded_size > 200) { echo "Your file is too large.<br>"; $ok=0; } //This is our limit file type condition if ($uploaded_type =="text/php") { echo "No PHP files<br>"; $ok=0; } //Here we check that $ok was not set to 0 by an error if ($ok==0) { Echo "Sorry your file was not uploaded"; } //If everything is ok we try to upload it else { if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) { echo "Your file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded."; } else { echo "Sorry, there was a problem uploading your file."; } } ?> I've just done a Contact Me form. Once a message has been sent, I'd like to direct the user to a new page saying 'thanks for getting in touch', just so it's clear the message has been sent. What's the best function to use for that? I tried require("message.php") and include() but the two files got mixed up and all I got was a mess! Thanks in advance for any help Hi All, I am using the uploadify script available at http://uploadify.com/ Now I can get the file uploads working fine with the script below: Code: [Select] <?php session_start(); ?> <link href="/uploadify/uploadify.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="/uploadify/jquery-1.3.2.min.js"></script> <script type="text/javascript" src="/uploadify/swfobject.js"></script> <script type="text/javascript" src="/uploadify/jquery.uploadify.v2.1.0.min.js"></script> <input id="fileInput" name="fileInput" type="file" /> <script type="text/javascript">// <![CDATA[ $(document).ready(function() { $('#fileInput').uploadify({ 'uploader' : '/uploadify/uploadify.swf', 'script' : '/uploadify/uploadify.php', 'cancelImg' : '/uploadify/cancel.png', 'auto' : true, 'folder' : '<?php echo $_SESSION['filepath']."/downloads/"; ?>', 'multi' : true }); }); // ]]></script> The problem that I am having is that I also store the mysql connection details in session vars (they change depending on who logs in). I have tried a number of ways of "passing" these session vars to the uploadify.php file which does the grunt work of the uploading, but I can never seem to access them. I obviously dont want to pass them to the uploadify.php script through the js because that will show my credentials in the source code. So, the question is, how can I access these session vars in the called file. I assume its a combination of session_write_end() and session_start() but I havent got the right combination yet. Hi everyone!
I've been working on a php script to replace links that contain a query with direct links to the files they would redirect to. In this case I have to rewrite the xml with this script. Situation is not optimal, I'm running the chunk script because we're stuck with the execution time limit too. Export filter: This loops over a xml file and splits it into chunks
<?php
//ini_set('max_execution_time', 10);
// ---- includes
if ( ! defined('ABSPATH') ) {
require_once( dirname( __FILE__ ) . '/wp-load.php' );
}
// ---- end includes
// console
function vwaconsole($input) {
$disabled = false;
if ($disabled === false) {
$a = print_r($input.'</br>');
$a = $input;
echo "<script>console.log( '--log--: " . $a . "' );</script>";
}
}
//end console
// settings //
$chunk_size = 20;
//
$home = constant( 'ABSPATH' );
$xml_path = $home."/wp-content/uploads/wpallimport/files/Bastiaansen.xml";
if (fopen($xml_path,"r") != true) {
vwaconsole("xml file does not exist");
exit();
}
$xml = new DOMDocument();
$xml->formatOutput = true;
$xml->preserveWhiteSpace = false;
$xml->load($xml_path);
// Main program
// creates another file to be filled by sub scripts
if (!empty($xml)) {
vwaconsole("Running main program");
// backup xml first
$date = "_".date("Y M D h i");
$date = str_replace(' ', '_', $date);
$xpath = new DOMXpath($xml);
$items = $xpath->query("//aanbiedingen//item");
$loopcount = 0;
$processedamount = 0;
$islast = 0;
vwaconsole('total items: '.$items->length);
vwaconsole('chunk size: '.$chunk_size);
echo'<br>';
/* chunks processing: */
$chunkxml = new DOMDocument();
$chunkxml->formatOutput = true;
$chunkxml->preserveWhiteSpace = false;
$counter = 0;
$chunkroot = null;
foreach($items as $item) {
//vwaconsole('processing item');
if ($chunkroot === null) {
$chunkroot = $chunkxml->createElement('root');
$chunkxml->appendChild($chunkroot);
//vwaconsole('created root');
}
if (($processedamount + $chunk_size) > $items->length) {
//vwaconsole("last chunk in progress...");
$islast = 1;
}
$chunkitem = $chunkxml->createElement($item->nodeName);
$chunkroot->appendChild($chunkitem);
//vwaconsole('appended child item to root');
foreach($item->childNodes as $spec) {
//vwaconsole('processing specs in item');
$chunkspec = $chunkxml->createElement($spec->nodeName);
$chunkitem->appendChild($chunkspec);
$chunkspectext = $chunkxml->createTextNode($spec->nodeValue);
$chunkspec->appendChild($chunkspectext);
}
$counter++;
$processedamount++;
if ($counter >= $chunk_size) {
$chunkxml->save("wp-content/uploads/wpallimport/files/chunks_bast/bast_chunk_".$loopcount.".xml");
vwaconsole("saved array chunk");
$output = `php export_filter_chunk_processor.php $loopcount $islast `;
vwaconsole($output);
vwaconsole("creating new array chunk");
$chunkxml = new DOMDocument();
$chunkxml->formatOutput = true;
$chunkxml->preserveWhiteSpace = false;
$loopcount++;
$counter = 0;
$chunkroot = null;
}
if ($items->length === $processedamount) {
$chunkxml->save("wp-content/uploads/wpallimport/files/chunks_bast/bast_chunk_".$loopcount.".xml");
vwaconsole("finished saving last chunk");
}
}
// merge documents later..
/*
$newxml = new DOMDocument("1.0", "utf-8");
$newxml->formatOutput = true;
$newxml->preserveWhiteSpace = false;
$itemContainer = $newxml->createElement('aanbiedingen');
$newxml->appendChild($itemContainer);
//$newxml->save("wp-content/uploads/wpallimport/files/TEMP_Bastiaansen.xml");
*/
vwaconsole("main ending");
exit();
} else {
//vwaconsole("xml is empty ?! exiting");
exit();
}
?>
Export chunk processor: The xml was split by the previous script. This one takes one of the chunks and calls get_headers() , sending a link containing a query multiple of this script run at same time. The queries are then picked up by the last php file.
<?php
//ini_set('max_execution_time', 10);
// console
function vwaconsole($input) {
$disabled = false;
if ($disabled === false) {
$a = print_r($input.'</br>');
$a = $input;
echo "<script>console.log( '--log--: " . $a . "' );</script>";
}
}
//end console
//echo'<br>';
print_r("called chunk processor > Chunk processor started. ");
//echo'<br>';
$loopcount=$argv[1];
$islast=$argv[2];
if ($loopcount === null || $islast === null) {
print_r("CHUNK PROCESSOR ERROR > loop count is empty");
exit();
} else {
print_r("CHUNK PROCESSOR variables set. loop count: ".$loopcount." is last: ".$islast."<br>");
}
if ( ! defined('BAST_ROOT_DIR') ) {
define('BAST_ROOT_DIR', __DIR__);
}
$home = constant( 'BAST_ROOT_DIR' );
$xml_path = $home."/wp-content/uploads/wpallimport/files/chunks_bast/bast_chunk_".$loopcount.".xml";
if (fopen($xml_path,"r") != true) {
print_r("chunk file was not found at path: ".$xml_path);
exit();
}
$xmlChunk = new DOMDocument();
//$xmlChunk = new DOMDocument();
$xmlChunk->formatOutput = true;
$xmlChunk->preserveWhiteSpace = false;
$xmlChunk->load($xml_path);
if (empty($xmlChunk)) {
print_r("chunk data is empty, exiting");
exit();
} else {
print_r("got chunk data <br>");
}
$xpath = new DOMXpath($xmlChunk);
$item = $xpath->query("//root//item");
//$items = $xmlChunk->getElementsByTagName('//root//item');
foreach ($item as $node) {
echo'new item: <br>';
foreach ($node->childNodes as $spec) {
//vwaconsole("processing spec: ".$spec->nodeName);
if (($spec->nodeName == 'itemlink')) {
$memValue = $spec->nodeValue;
//setting new url spec node
$spec->nodeValue = processItemLink($memValue);
// add new itemfoto nodes to xml
} elseif(($spec->nodeName == 'itemfoto1')) {
$memValue = $spec->nodeValue;
$imgurls = array();
$first = true;
for ($i = 1; $i < 50; $i++) {
if ($first === false) {
$memValue = str_replace('bast_get_itemfoto_id='.strval($i-1), 'bast_get_itemfoto_id='.strval($i), $memValue);
}
vwaconsole("trying to get a itemfoto with id: ".strval($i)." link: " .$memValue);
$triedFotoUrl = processItemLink($memValue);
vwaconsole("tried url: ".$triedFotoUrl);
if($triedFotoUrl !== $memValue) {
$imgurls[] = $triedFotoUrl;
} else {
vwaconsole("tried url and processed url are equal. end of loop. No new images left or error happened.");
break;
}
$first = false;
}
//remove the old single itemfoto from xml
$spec->parentNode->removeChild($spec);
// add sorted nodes from image array
if (!empty($imgurls)) {
sort($imgurls, SORT_NATURAL);
print_r('<br> after sort;');
print_r($imgurls);
print_r('<br>');
$arlength = count($imgurls);
for($x = 0; $x < $arlength; $x++) {
$newItemFoto = $xml->createElement('itemfoto'.strval($x+1));
$newItemFotoText = $xml->createTextNode($imgurls[$x]);
$newItemFoto->appendChild($newItemFotoText);
$node->appendChild($newItemFoto);
}
unset($imgurls);
}
}
}
echo'<br>';
}
//returns string url
//follow the query url from xml, return a direct link or returns input on failure. query is processed in Bastiaansen.php.
function processItemLink($url) {
if (!empty($url)) {
$headers = get_headers($url, 1);
if(!empty($headers['Location'])) {
vwaconsole('test returning header location: '.$headers['Location']);
return $headers['Location'];
} else {
vwaconsole("header empty ?!?! can't convert query");
}
}
return $url;
}
$xmlChunk->save("wp-content/uploads/wpallimport/files/chunks_bast/bast_chunk_test_".$loopcount.".xml");
?>
When the chunk processor calls a query link with get_headers(), the query will be noticed by the next script, the query converter:
<?php
if ( ! defined('ABSPATH') ) {
require_once( dirname( __FILE__ ) . '/wp-load.php' );
}
// ---- vars
$machineID = $_GET['bast_get_machine_id'];
$itemlink = $_GET['bast_get_itemlink'];
$itemfoto_id = $_GET['bast_get_itemfoto_id'];
if (!empty($itemlink)) {
$request = 'bast_get_itemlink';
$value = $itemlink;
} elseif (!empty($itemfoto_id)) {
$request = 'bast_get_itemfoto_id';
$value = $itemfoto_id;
}
// ---- end vars
if (empty($machineID)) {
echo 'please enter query ?bast_get_machine_id=(number) first';
exit();
}
if (empty($request) || empty($value)) {
echo 'Valid query request would be: bast_get_itemlink <br>';
echo 'Valid query request would be: bast_get_itemfoto_id <br>';
exit();
}
// register custom query options
function sm_register_query_vars( $vars ) {
// get the right custom field names
$vars[] = $request;
$vars[] = 'pa_'.$request;
return $vars;
}
add_filter( 'query_vars', 'sm_register_query_vars' );
//returns null or string url
function fetch($machineID,$request,$value) {
$return = null;
$args = array(
'orderby' => 'meta_value_num',
'meta_key' => 'bast_get_machine_id',
'meta_type' => 'NUMERIC',
'post_type' => 'product',
'posts_per_page' => -1,
'order' => 'ASC',
'meta_query' => array(
array(
'key' => 'bast_get_machine_id',
'type' => 'NUMERIC',
'value' => $machineID,
'compare' => 'EXISTS',
)
)
);
$wp_query = new WP_Query($args);
if ( $wp_query->have_posts() ) {
while ( $wp_query->have_posts() ) {
$wp_query->the_post();
apply_filters( 'the_content', 'filter_post_content' );
echo 'found product " '.get_the_title().' " on machine ID '.$machineID.'<br>';
echo 'requested: '.$request.'<br>';
if ($request === 'bast_get_itemlink') {
// product url
$return = get_permalink(get_the_ID());
break;
} elseif ($request === 'bast_get_itemfoto_id') {
// image attachment
$attachments = get_posts(array(
'post_type' => 'attachment',
//'post_mime_type' => 'image',
'posts_per_page' => -1,
'post_parent' => get_the_ID()
//'exclude' => get_post_thumbnail_id()
));
// as the requested value should be 1, but the array starts at 0.. remove 1 from value
if (!empty($attachments) && ($attachments != false) && !empty($attachments[$value-1]) && ($attachments[$value-1] != false) ) {
$return = wp_get_attachment_image_src( $attachments[$value-1]->ID, 'full')[0];
echo 'attachment found';
} else {
echo 'attachment empty...';
}
echo 'total amount of images found on this machine: '.count($attachments);
break;
}
break;
}
/* Reset Post Data after loop */
wp_reset_postdata();
} else {
echo 'query on machine ID '.$machineID.' found no product. Exit.';
}
return $return;
}
function filter_post_content( $content ) {
// Check if we're inside the main loop in a single post page.
if ( is_single() && in_the_loop() && is_main_query() ) {
return $content;
}
return $content;
}
$finaldestination = fetch($machineID,$request,$value);
if (empty($finaldestination)) {
exit();
}
//echo 'destination set: '.$finaldestination.'<br>';
header("Location: ".$finaldestination, true, 302);
?>
Need Suggestion for my codes, I want msg1.php to be open in the frame bottomframe. if($username=="" || $password=="") { echo "<form method=\"post\" action=\"msg1.php\" target=\"bottomframe\" >"; } Hello All, I am in desperate help here since my site was DDoS attacked by some one in turkey (Ips originate mostly from turkey, Germany, and some other Europe countries). I have installed the ddos deflation and most of the IPs are now blocked. I have a php file in my server that I use to input data into my database and my streaming servers. This file is called connect.php and the hacker is basically created an automated script that repeatedly call the connect.php file from a botnet resulting in both apache and mysql dead. I use connect.php in the following way http.open('get', "ajax/createchannel_1.php?channel=" + channelname + "&sitename=" + sitename + "&privateurl=" + privateurl + "&privateurlcheck=" + privateurlcheck); How can i change the connect.php so that it only accept execution from my server/ Please your help is greatly appreciated. Hi guys, I am making a site where users upload files (like images, pdfs, etc) to the server. My question is, how does Facebook handle file permissions, restricting access to files uploaded to their servers based on what a user sets? Because I need to implement a similar thing and have no idea how to do it in a clean way. I have had two thoughts on storing the files 1) in a DB or 2) in a folder out of the wwwroot, which would prevent access by anyone without knowing the path (or some such) but it is the more "real" permissions implementation I am stuck on. I obviously would like to achieve this with PHP and MySQL(i). Any help is much appreciated. Cheers in advance. Is it possible to allow a script running on another server to write/read a specific file on my server? I can set file permissions, but not having any luck with file paths due to php5 blocking http:// urls. |
|||||||