|
PHP - Iframe Src Has Initcheck/direct Access Block, How Can I Work This?
Hi,
I am struggling to find an answer here.. If for example my iframe source, file.php has a initcheck/direct access block, how can i still have access to it in an iframe? <center><iframe name="frame1" id="frame1" style="width: 100%; height: 120px; z-index: 0; " scrolling="0" src="file.php" frameborder="0"></iframe></center> //then the file.php has an initcheck and itself includes multiple other files so i cant remove the initcheck.. //header of file.php // ################################################################ defined( '_MYAPP_INITCHECK' ) or die( '' ); // ################################################################ Similar Tutorialsplease it is very important!! I have a script (main file is index.php) that is called into an iframe src via an url reference... http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php works perfectly!!.. How can i prevent someone getting direct url access to the file? if someone were to take the url: http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php and place it into the address bar, they have access to the file... points to note: -i have no database for this script, -the iframe is called directly into a html file, - i dont know the userfolder or the emailfolder names, - and the index.php is linked to several other .php and .js and .html files in different folders.... // i can add something like this to these file:(i found this on the net). Add this to the page that you want to only be included <?php if(!defined('MyConst'){die('Direct access not premitted');} ?> then on the pages that include it add <?php define('MyConst', TRUE); ?> this will prevent the files being accessed, but then i cant access the file via the iframe url.. please any ideas??? best regards Tony Hello everyone, What is the best method of blocking direct access to certain files like functions, modules, and etc? I was trying the if ( ! defined('BASEPATH')) exit('No direct script access allowed');method but I feel like there must be a more convenient/better way. Any suggestions are appreciated, thank you. I have a php form for uploading file as the action sends to upload.php. How I can avoid any kind of direct access to upload.php? I want to kill the php process at the first line without performing the remaining code (it is very critical for me as I have a counter), except calls coming from form.php. I want to perform a php process initiated by AJAX according to the method described in http://www.w3schools.com/PHP/php_ajax_database.asp with this line Code: [Select] xmlhttp.open("GET","getuser.php?q="+str,true); the php process in getuser.php is initiated. But how I can restrict direct access to getuser.php? If someone visit getuser.php?q=something; the process will be started for "something". I want to run the getuser.php process only and only when it is initiated from my main page. I have solved this now. A shipping vendor (like Stamps.Com) provides me a Printable Shipping Label to display on my website for Visitors to print.
When Visitors come to my page, my PHP code:
$Shipping_Label_Data = $LabelVendor->data[0]->contents; // vendor's API echo '<img src="/Label-Directory/'.$Order_Number.'.png" />'; Later I realized the security flaw: any snooper can fish for other Visitor's labels in my Label directory. What is the best way to prevent the display of other people's labels? Thank you!! I've got a question, I thought I'd be able to do this fairly easily. I don't want to do an .htaccess solution also. I tried this, define('ACCESS', TRUE); // then on other page if(!defined('ACCESS'){die('Direct access not allowed.');} Need some assistance, appreciated. I am using the debug_backtrace() php function to prevent direct access to admin files.
i simply place the code below at the top of a page eg config.php and direct access via the browser is prevented.
Is it a safe practice or is there a better way of doing it?
<?php
debug_backtrace() || die ("Direct access to this resource is forbidden");
?>
Thanks
I use jQuery when adding messages. However, the file can be called directly. For example: includes/add_comment.php?id=2 So, I can make a form and call this file directly to add a message. ID is user id and form can be submited with HTML form wherever are located. How to prevent direct access to the file when called through a Ajax? I have a site with a members area that uses sessions. I migrated my DB from MySQL 4 to 5. Now my login page does not work. Please help. Member Login Page: Code: [Select] <?php session_name ('name'); ini_set ('session.use_cookies', 0); session_start(); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link href="css/style.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="js/swfobject/swfobject.js"></script> <script type="text/javascript"> var flashvars = {}; flashvars.xml = "config.xml"; flashvars.font = "font.swf"; var attributes = {}; attributes.wmode = "transparent"; attributes.id = "slider"; swfobject.embedSWF("cu3er.swf", "cu3er-container", "960", "400", "9", "expressInstall.swf", flashvars, attributes); </script> <link href="css/menu.css" rel="stylesheet" type="text/css" /> <style type="text/css"> #apDiv1 { position:absolute; left:592px; top:75px; width:552px; height:53px; z-index:1; } a:visited { color: #5D4580; } a:hover { color: #FFF; } a:active { color: #5D4580; } </style> </head> <body> <div class="main"> <div class="blok_header"> <div class="header"> <div class="rss"><strong>P</strong></div> <div class="clr"></div> <div class="logo"><a href="index.html"><img src="images/logo.jpg" width="211" height="88" border="0" alt="" class="one" /></a></div> <div class="menu"> <ul id="css3menu"> <li class="topfirst"><a href="index.html" title="Home">Home</a></li> <li><a href="#" title=""><span>Omega Psi Phi</span></a> <ul> <li><a href="founders.html" title="Fraternity Founders">Fraternity Founders</a></li> <li><a href="omegahistory.html" title="Fraternity History">Fraternity History</a></li> <li><a href="programs.html" title="Mandated Programs">Mandated Programs</a></li> <li><a href="links.html" title="Links">Links</a></li> </ul> </li> <li><a href="#" title="Phi Gamma Chapter"><span>Phi Gamma Chapter</span></a> <ul> <li><a href="history.html" title="Phi Gamma History">Phi Gamma History</a></li> <li><a href="lineage.html" title="Phi Gamma Lineage">Phi Gamma Lineage</a></li> <li><a href="dedication.html" title="Dedication">Dedication</a></li> <li><a href="calendar.html" title="Calendar">Calendar</a></li> <li><a href="photogallery.html" title="Photo Gallery">Photo Gallery</a></li> <li><a href="members/login.php" title="Member Login">Member Login</a></li> <li><a href="roster.html" title="Chapter Roster">Chapter Roster</a></li> </ul> </li> <li><a href="members/login.php" title="Member Login">Member Login</a></li> <li class="toplast"><a href="contact.html" title="Contact Info.">Contact Info.</a></li> </ul> </div> </div> <div class="clr"></div> <div class="body"> <div class="body_bg"> <h2>Member's Only </h2> <?php if ($_SESSION['membername'] != null) { // print "<META HTTP-EQUIV='Refresh' content='0;URL=updatemember.php'>"; echo "You are already logged in. Please wait to be redirected to the members page, or <a href=\"members.php\">click here</a> if you are not automatically redirected. User name for the session is ".$_SESSION['username'].", the member name is ".$_SESSION['membername']; print "<META HTTP-EQUIV='Refresh' content='5;URL=members.php'>"; //header("Location: members.php"); //exit; } else { ?> <form name="admin" method="post" action="userlogon.php"> <table width="891" border="0" cellspacing="5" cellpadding="5"> <tr> <td height="80" colspan="2" align="left"><p>Please enter you username and password. Don't remember your password, <u><strong><a href="password.php">click here</a></strong></u><strong><a href="password.php"></a></strong>.</td> <td width="360" rowspan="5" align="center" valign="middle"><img src="images/login_image.jpg" width="239" height="314" /></td> </tr> <tr> <td width="257" height="38" align="right"><p><strong>Username:</strong></td> <td width="224" align="left"><input type="text" name="username"></td> </tr> <tr> <td height="38" align="right"><p><strong>Password:</strong></td> <td align="left"><input type="password" name="password"></td> </tr> <tr> <td height="34"> </td> <td align="left"><input type="submit" class="yellowbutton" name="submit" value="Sign In"></td> </tr> <tr> <td colspan="2"><p>To register for a username and password with Phi Gamma, please <u><strong><a href="register.php">click here</a></strong></u><strong><a href="password.php"></a></strong>.</td> </tr> </table> </form> <?php } ?> <p> </p> <div class="clr"></div> </div> <div class="clr"></div> </div> </div> <div class="footer"> <div class="footer_resize"> <p class="center"> <a href="index.html">Home</a> | <a href="contact.html">Contact</a> </p> <div class="clr"></div> </div> <div class="clr"></div> </div> </body> </html> After the credentials are entered the user is returned back to the login page and NOT the member's page. This is the userlogon.php page: Code: [Select] <?php $link = mysql_connect('localhost:/tmp/mysql5.sock', 'dbuser', 'dbpw'); if (!$link) { die('Could not connect: ' . mysql_error()); } //mysql_close($link); if (!mysql_select_db('db_name', $link)) { echo 'Could not select database'; exit; } $username = $HTTP_POST_VARS["username"]; $password = $HTTP_POST_VARS["password"]; $member_id = ''; $role = ''; $firstname = ''; // Formulate Query // This is the best way to perform a SQL query // For more examples, see mysql_real_escape_string() $query = sprintf("SELECT users.member_id, users.username, users.password, users.role, FROM users join members on users.member_id = members.member_id WHERE users.username ='%s' AND users.password='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)); // Perform Query $result = mysql_query($query); // Check result // This shows the actual query sent to MySQL, and the error. Useful for debugging. if (!$result) { $message = 'Invalid query: ' . mysql_error() . "\n"; $message .= 'Whole query: ' . $query; die($message); } // Use result // Attempting to print $result won't allow access to information in the resource // One of the mysql result functions must be used // See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc. while ($row = mysql_fetch_assoc($result)) { $member_id = $row['member_id']; $username = $row['username']; $role = $row['role']; } if ($member_id != ''){ session_start(); $_SESSION['membername'] = $username; $_SESSION['username'] = $username; $_SESSION['memberid'] = $member_id; $_SESSION['role'] = $role; print "<META HTTP-EQUIV='Refresh' content='0;URL=members.php'>"; } else { print "<META HTTP-EQUIV='Refresh' content='0;URL=memberlogin.php'>"; } // Free the resources associated with the result set // This is done automatically at the end of the script mysql_free_result($result); ?> It worked fine before the migration??? Anyone know where the problem is? Hello everyone, I have a question. I'm trying to figure out a way to make it so that when a user visits a page for a certain file, they are given the file to download but can't see the link to that file. Example: There is a file on http://serverB.com/file.rar A person goes to http://serverA.com/?file=file.rar They can download http://serverB.com/file.rar without seeing the link to that file. Is there any way to do this? Thanks. I have my template files and some functions in my server which are available for direct reach. like ; my "index.php" file includes "loginpage.php" form which is ok when I enter www.site.com/index.php but also when I enter to www.site.com/loginpage.php it works and shows me just login page. So this is what I dont want. How can I prevent to reach the files directly like this, I want them to work just for other pages of my website, not for directly seeing. By the way can this problem also be solved by hosting settings or mod_rewrite ? Trying to sort out setting a cookie that allows visitor to decide which sub domain to go directly to in subsequent visits. Somewhat complicated by the fact that the sub domains are running seprate instances of wordpress. Here's the code... any suggestions appreciated! Code: [Select] <?php if (isset($_POST['submitted'])) { $site=$_POST['site']; setcookie("SitePref",$site, time() + 60*60*24*30, 'historybee.com'); if ($site == 'ms') { header("Location: http://ms.historybee.com/"); } elseif ($site == 'hs') { define('WP_USE_THEMES', true); require('./wp-blog-header.php'); } } else { //if we have a cookie, load the site if (isset($_COOKIE['SitePref'])) { if (($_COOKIE['SitePref']) == 'hs') { define('WP_USE_THEMES', true); require('./wp-blog-header.php'); } else { header("Location: http://ms.historybee.com/"); } } else { //if we don't have a cookie, load the form ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>The National History Bee</title> </head> <body style="margin:0;padding:0;background: url('http://ms.historybee.com/wp-content/themes/makinghistoryblue/img/body_bg_hb5.jpg') repeat-x scroll center top #F2BF3B;"> <div align="center" style="width:800px;margin:0 auto;background:#fff;"> <p><img src="http://ms.historybee.com/wp-content/themes/makinghistoryblue/img/nhb_logo.png"> <p><h1>Welcome to the National History Bee!</h1> <p>The National History Bee has both High School and Middle School competitions. <p>Please choose which site you would like to visit. Your choice will be remembered for 30 days. <form action= "<?php echo $_SERVER['PHP_SELF']; ?>" method ="POST"> <input type="radio" name="site" value="ms"> Middle School Competition <input type="radio" name="site" value="hs"> High School Competition <input type ="hidden" name="submitted" value="true"> <p><input type="submit" value="Remember My Choice"> </form> <br /><br /><br /> </div> </body> </html> <?php } } ?> I've just done a Contact Me form. Once a message has been sent, I'd like to direct the user to a new page saying 'thanks for getting in touch', just so it's clear the message has been sent. What's the best function to use for that? I tried require("message.php") and include() but the two files got mixed up and all I got was a mess! Thanks in advance for any help I just finished a page of code that passes all the debug tests except for the very last line on the page. </html>. The page has php and html, java script and some SQL. (see I'm learning and hadn't placed a post until I exhausted my limited resources. The Error Codeis: PHP Parse error: syntax error, unexpected $end in C:\wamp\www\registerform.php on line 292 Here's my concern: I read this error statement as an error()is missing. Please clarify something for me, You start the php code with <?php and end it with ?>. I also understand that the end() will stop all further operation. Correct. When you have a form call itself for data checking, and if the data is correct, send it to the appropriate database table, does one need to place the end() at the end of the php portion of the code? And if so, will it not stop any of the code from being read the first time the page is called? Also since the FORMs action calls for the page to load itself for data verification, how at the end of the checking do I go call another page? here's the page: The page is attached: Hi, I found a code for login page on web which would check against the database and login, I wanted to modify it so that once the password is verified the user will be directed to a new page with the session variables also active. I read about " header()" functionality which would achieve this so i added this to the code but my code seems to fail with the error "Cannot modify header information - headers already sent by (output started at C:\xampp\phpMyAdmin\scripts\login1.php:7) in C:\xampp\phpMyAdmin\scripts\login1.php on line 10 " The code for login1.php is as below- For quick understanding i have removed all the section related to DB validation ..so the below code must activate the next page "add_entry2.php" immediately after submit button is pressed. Please see below.. Thanks in advance. Code: [Select] <html> <head> <title>Login</title> </head> <body> <?php if (isset($_POST['submit'])) {if(!$_POST['uname'] | !$_POST['passwd']){die('You did not fill in a required field.'); } header('Location: add_entry2.php');} else {// if form hasn't been submitted ?> <h1>Login</h1> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table align="center" border="1" cellspacing="0" cellpadding="3"> <tr><td>Username:</td><td> <input type="text" name="uname" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="passwd" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> </body> </html> Hello, I want to prevent this page from being directly accessed by all via just putting its address in the address bar: http://www.mysite.com/page1/page2/signup.php I want to allow to be accessed this page only via clicking on a link in a particular page like: http://www.mysite.com/activate/index.php Please help me. we have already see the facility in website gmail and facebook that when user log-in successfully then its redirects the page to another page automatically, can someone tell me how to redirect the page when log-in becomes successful ?
User tries to Log-in -> create session variable -> now redirect the page
I can verify user account details and set the session variable at the same time, but how to reload the page so that it finds the session and reload itself and then redirect the page to new page ??
Thanks for sparing your time here !!
Hello, I'm having some major major issues, with a web hosting / PHP / MySQL database issue and if anyone can help that would be amazing! Okay first I have a MySQL database setup, with a table called "staff", within that there is a "username" and "password" field pretty self explanatory. I have a login in page (login.php) see first set of coding and a loginaction (loginaction.php) and what is suppose to happen is the loginaction checks the posted data against the database and if correct relocate to another page. I have had this coding and much more complex coding working on various other servers, but this is the first time I've ever dealt with BT Business webhosting, which is pretty useless right now and poor help to date from technicians who say it is a purely a coding issue. From what I have established I believe that the issue is occuring because BT don't have the apache server setup correctly for what I'm trying to do or that the browser is seeing the "$result" on "loginaction.php" and data, resulting in a white page of certain doom! Please help!! login.php [<?php include "sections/phparea.php";?> <?php include "sections/header.php";?> <?php include "sections/left.php";?> <!-- start content --> <div id="content"> <?php // Include the formatted error message if (isset($_SESSION['message'])) echo "<h4>".$_SESSION['message']."</h4>"; // Generate the login <form> layout ?> <form action="loginaction.php" method="post" enctype="multipart/form-data"> <table class="tablelogin" > <tr> <td> <label for="email">E-mail Address</label> </td> <td> <input type="text" name="email" id="email" /> </td> </tr> <tr> <td> <label for="password">Password</label> </td> <td> <input type="password" name="password" id="password" /> </td> </tr> <tr> <td> </td> <td> <a href="../ambustar/accountrecovery.php">Forgotten Password?</a> </td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> <input type="hidden" name="count" id="count" value="1" /> <input type="reset" name="reset" id="reset" value="Clear" /> <input type="submit" name="submit" id="submit" value="Log in" /> </td> </tr> </table> </form> </div> <!-- end content --> <?php include "sections/right.php";?> <?php include "sections/footer.php";?> ] loginaction.php [<?php session_start(); include "dbconnect.php"; $email =$_POST["email"]; $password =$_POST["password"]; $query = "SELECT * FROM staff WHERE username = '$email' AND password = '$password'"; $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); // see if any rows were returned if (mysql_num_rows($result) > 0) { header("Location: test.php"); } else { header("Location: login.php"); } ?> ] dbconnect.php [<?php $hostname = "sql5c30a.carrierzone.com"; $username = "user"; $password = "password"; $databaseName = "main_bikescarsandvans_co_uk"; $connection = mysql_connect($hostname, $username, $password); // or die ("Unable to connect!") mysql_select_db($databaseName) or die ("Unable to select database!"); ?> ] I know that magic __get and __set are invoked automatically when an object is instantiated, but what about stuff like getName() and setName() Code: [Select] class NameClass { private $_name; public function getName() { return $this->_name; } public function setName($value) { $this->_name = $value; } } $someName = new NameClass(); $someName->setName('Bob'); echo $someName->getName(); 1. Could the setName() and getName() just as easily be named something generic like: hotName() coldName() Code: [Select] class NameClass { private $_name; public function hotName() { return $this->_name; } public function coldName($value) { $this->_name = $value; } } $someName = new NameClass(); $someName->coldName('Bob'); echo $someName->hotName(); 2. Also, the setName() and getName() methods must be called manually, right? Unless they are manually called, they just sit there, do nothing, am I correct? Thanks |
|||||||