PHP - How To Restrict Direct Access To Php File

Hi guys, in my database i have the table called users, where i have 5 fields (id, username, email, password, user_level) - for the user_level field i have 2 options administrator and editor.   What i want to do is that when the user who is logged in have administrator in the user_level field to see all the pages from backend, and the user who have in the user_level field editor to see only some of the pages from the backend such as newsletter, or messages.   I hope you understand what i'm asking if not fell free to ask me if you need more specific details.   I tried to make a php page called access.php wher i put the following code, but not working

<?php
session_start();
$sql = $mysqli->query("SELECT user_level FROM imobiliare_users WHERE id=$id");
$user_level = $mysqli->query($sql);
echo $user_level;
if ($user_level !="administrator") {
	echo "You are not the proper user type to view this page";
    die();
  }
?>

Hope you can help me. Thx in advance for help.

I have a php form for uploading file as the action sends to upload.php. How I can avoid any kind of direct access to upload.php? I want to kill the php process at the first line without performing the remaining code (it is very critical for me as I have a counter), except calls coming from form.php.

Hello everyone,

What is the best method of blocking direct access to certain files like functions, modules, and etc?

I was trying the
if ( ! defined('BASEPATH')) exit('No direct script access allowed');method but I feel like there must be a more convenient/better way.

Any suggestions are appreciated, thank you.

I want to perform a php process initiated by AJAX according to the method described in http://www.w3schools.com/PHP/php_ajax_database.asp

with this line
Code: [Select]
xmlhttp.open("GET","getuser.php?q="+str,true);
the php process in getuser.php is initiated. But how I can restrict direct access to getuser.php?

If someone visit getuser.php?q=something; the process will be started for "something". I want to run the getuser.php process only and only when it is initiated from my main page.

I am using the debug_backtrace() php function to prevent direct access to admin files. i simply place the code below at the top of a page eg config.php and direct access via the browser is prevented.   Is it a safe practice or is there a better way of doing it?

<?php

debug_backtrace() || die ("Direct access to this resource is  forbidden");

?>

Thanks

Hi,
I am struggling to find an answer here.. If for example my iframe source, file.php has a initcheck/direct access block, how can i still have access to it in an iframe?


<center><iframe name="frame1" id="frame1" style="width: 100%; height: 120px; z-index: 0; " scrolling="0" src="file.php" frameborder="0"></iframe></center>


//then the file.php has an initcheck and itself includes multiple other files so i cant remove the initcheck..

//header of file.php
// ################################################################
defined( '_MYAPP_INITCHECK' ) or die( '' );
// ################################################################

Hiya,

Firstly, I'm a complete novice, apologies! But I have got my upload.php working which is nice. I will post the code below.

However, I would now like to restrict the file size and file type to only word documents.

I currently have a restriction of 200KB but it's not working - no idea why as I've looked at other similar codes and they look the same.

Also, just to complicate things - can I stop files overwriting each other when uploaded? At the moment, if 2 people upload files with the same name one will overwrite the other.

Is this too many questions in 1?

Any help is very much appreciated!

Code below:

Code: [Select]
<form enctype="multipart/form-data" action="careers.php" method="POST">
        Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

<?php 
 $target = "upload/"; 
 $target = $target . basename( $_FILES['uploaded']['name']) ; 
 $ok=1; 
 
 //This is our size condition 
 if ($uploaded_size > 200) 
 { 
 echo "Your file is too large.<br>"; 
 $ok=0; 
 } 
 
 //This is our limit file type condition 
 if ($uploaded_type =="text/php") 
 { 
 echo "No PHP files<br>"; 
 $ok=0; 
 } 
 
 //Here we check that $ok was not set to 0 by an error 
 if ($ok==0) 
 { 
 Echo "Sorry your file was not uploaded"; 
 } 
 
 //If everything is ok we try to upload it 
 else 
 { 
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
 { 
 echo "Your file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded."; 
 } 
 else 
 { 
 echo "Sorry, there was a problem uploading your file."; 
 } 
 } 
 ?>

Hi. I'm making a file-sharing website but how do I stop users from uploading certain extensions?
Here is my script so far:

<?php session_start(); $file_name = $HTTP_POST_FILES['ufile']['name'];$random_digit=rand(0000,9999);$new_file_name=$random_digit.$file_name;$path= "upload/".$new_file_name;if($ufile !=none){if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path)){echo "Successful<BR/>";}else{echo "Error";}}?>()

I've just done a Contact Me form.

Once a message has been sent, I'd like to direct the user to a new page saying 'thanks for getting in touch', just so it's clear the message has been sent.

What's the best function to use for that? I tried require("message.php") and include() but the two files got mixed up and all I got was a mess!

Thanks in advance for any help

Hi guys,

I am making a site where users upload files (like images, pdfs, etc) to the server.

My question is, how does Facebook handle file permissions, restricting access to files uploaded to their servers based on what a user sets?
Because I need to implement a similar thing and have no idea how to do it in a clean way.

I have had two thoughts on storing the files 1) in a DB or 2) in a folder out of the wwwroot, which would prevent access by anyone without knowing the path (or some such) but it is the more "real" permissions implementation I am stuck on.

I obviously would like to achieve this with PHP and MySQL(i).

Any help is much appreciated.

Cheers in advance.

Hello everybody  ,
This is my first topic here and I hope I will find the solution for my problem.
I want to restrict access to file (for exemple: http://www.mysite.com/files/file0000.zip) to a just a specific IP that will be read from the database. And also store all other IPs trying to access this file.
Can this be done, maybe through some php and htaccess?

Thank you for any help or any other ideas.

Is it possible to allow a script running on another server to write/read a specific file on my server?  I can set file permissions, but not having any luck with file paths due to php5 blocking http:// urls.

I have a file that an ajax function calls on my site, and I want to make sure only the right pages access it.

For example.

I have page called home (home.php) and on that page i have an ajax call, which calls a file called ajax.php.

I want to make sure that when ajax.php is being executed, it is being executed via an ajax call, which is coming from the home page.

is this possible?

RewriteCond %{HTTP_HOST} !^www.example.com.au$ [NC] 
RewriteCond %{HTTP_HOST} !^https://www.example.com.au$ [NC]
RewriteRule ^(.*)$ http://www.example.com.au/$1 [R,L]

Hi All   I have my website 90% working on https, fully working on http and I have managed to redirect from none www to www     What I am looking to do it if the user happens to enter https then make them go to my www version     I have manage to get them to go to my www version if they do not put in www but I am lost in how to redirect them from https to http   here is what I have so far and I just cannot figure it out     thanks Alan

I have a weird kind of problem.
I uploaded all upload-directories through FTP which have 777 permissions and owner name 'abc'
This means I can access all of them through the codes.
But while creating files inside those full permitted directories, the compiler complains for access denied.
Meanwhile, a different directory is created with same name whose owner is 'apache' itself and the previous directory is lost.
Then I cannot change the permissions of that directory through FTP.
I don't if it is apache server's problem itself or not.
Or is it a way to define user while creating/editing/deleting files and directories through php code itself?