|
PHP - Block Direct Url Access To File, But Allow The Url To Be Passed Via Iframe Src?
please it is very important!!
I have a script (main file is index.php) that is called into an iframe src via an url reference... http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php works perfectly!!.. How can i prevent someone getting direct url access to the file? if someone were to take the url: http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php and place it into the address bar, they have access to the file... points to note: -i have no database for this script, -the iframe is called directly into a html file, - i dont know the userfolder or the emailfolder names, - and the index.php is linked to several other .php and .js and .html files in different folders.... // i can add something like this to these file:(i found this on the net). Add this to the page that you want to only be included <?php if(!defined('MyConst'){die('Direct access not premitted');} ?> then on the pages that include it add <?php define('MyConst', TRUE); ?> this will prevent the files being accessed, but then i cant access the file via the iframe url.. please any ideas??? best regards Tony Similar TutorialsHi, I am struggling to find an answer here.. If for example my iframe source, file.php has a initcheck/direct access block, how can i still have access to it in an iframe? <center><iframe name="frame1" id="frame1" style="width: 100%; height: 120px; z-index: 0; " scrolling="0" src="file.php" frameborder="0"></iframe></center> //then the file.php has an initcheck and itself includes multiple other files so i cant remove the initcheck.. //header of file.php // ################################################################ defined( '_MYAPP_INITCHECK' ) or die( '' ); // ################################################################ Hello everyone, What is the best method of blocking direct access to certain files like functions, modules, and etc? I was trying the if ( ! defined('BASEPATH')) exit('No direct script access allowed');method but I feel like there must be a more convenient/better way. Any suggestions are appreciated, thank you. I've got a question, I thought I'd be able to do this fairly easily. I don't want to do an .htaccess solution also. I tried this, define('ACCESS', TRUE); // then on other page if(!defined('ACCESS'){die('Direct access not allowed.');} Need some assistance, appreciated. I have solved this now. A shipping vendor (like Stamps.Com) provides me a Printable Shipping Label to display on my website for Visitors to print.
When Visitors come to my page, my PHP code:
$Shipping_Label_Data = $LabelVendor->data[0]->contents; // vendor's API echo '<img src="/Label-Directory/'.$Order_Number.'.png" />'; Later I realized the security flaw: any snooper can fish for other Visitor's labels in my Label directory. What is the best way to prevent the display of other people's labels? Thank you!! I use jQuery when adding messages. However, the file can be called directly. For example: includes/add_comment.php?id=2 So, I can make a form and call this file directly to add a message. ID is user id and form can be submited with HTML form wherever are located. How to prevent direct access to the file when called through a Ajax? I have a php form for uploading file as the action sends to upload.php. How I can avoid any kind of direct access to upload.php? I want to kill the php process at the first line without performing the remaining code (it is very critical for me as I have a counter), except calls coming from form.php. I want to perform a php process initiated by AJAX according to the method described in http://www.w3schools.com/PHP/php_ajax_database.asp with this line Code: [Select] xmlhttp.open("GET","getuser.php?q="+str,true); the php process in getuser.php is initiated. But how I can restrict direct access to getuser.php? If someone visit getuser.php?q=something; the process will be started for "something". I want to run the getuser.php process only and only when it is initiated from my main page. I am using the debug_backtrace() php function to prevent direct access to admin files.
i simply place the code below at the top of a page eg config.php and direct access via the browser is prevented.
Is it a safe practice or is there a better way of doing it?
<?php
debug_backtrace() || die ("Direct access to this resource is forbidden");
?>
Thanks
I've just done a Contact Me form. Once a message has been sent, I'd like to direct the user to a new page saying 'thanks for getting in touch', just so it's clear the message has been sent. What's the best function to use for that? I tried require("message.php") and include() but the two files got mixed up and all I got was a mess! Thanks in advance for any help Hi Hope someone can help me please. I have constructed an audio dictionary and have discovered an error now that I have added a few entries to the database. A user can search the database and can click on a result to be taken to the content associated with the entry he chooses. This is the search function; Code: [Select] $search=$_POST["search"]; //get the mysql and store them in $result $result = mysql_query("SELECT word FROM pro_words WHERE word LIKE '%$search%'"); //get the db content that is specified above if (mysql_num_rows($result) < 1) { echo "<br><br><h2> We didn't find anything. Sorry - we did look though.</h2>"; }else { echo '<table align="center" cellspacing="8" cellpadding="8" width="85%"><tr><td align="left"><b>Word</b></td></tr>'; echo "<br><br><h2>Success! Here's what we found:</h2><br>"; while ($r=mysql_fetch_array($result, MYSQLI_ASSOC)) echo '<h2><tr><td align="left"><a href="word.php?w=' . $r['word'] . '">' . $r['word'] . '</a></td></tr></h2>'; } You will see that content is displayed in a new file called word.php. This is relevant code from word.php Code: [Select] $query = "SELECT word,word_type1,sentence1,word_type2,sentence2,word_type3,sentence3 FROM pro_words"; $result = mysql_query($query) or die(mysql_error()); while($row = mysql_fetch_array($result)){ echo '<div class="colmask rightmenu">'; echo '<div class="colleft">'; echo '<div class="col1">'; echo '<p>Here are some example sentences that show how we use the word; </p>'; echo '<div id="small"><i> ' . $row['word_type1'] . '</i></div>'; echo '<p><div id="small">' . $row['sentence1'] . '</p></div>'; echo '<div id="small"><i> ' . $row['word_type2'] . '</i></div>'; echo '<p><div id="small">' . $row['sentence2'] . '</p></div>'; echo '<div id="small"><i> ' . $row['word_type3'] . '</i></div>'; echo '<p><div id="small">' . $row['sentence3'] . '</p></div>'; } The problem is that every entry on the database is echoed in word.php whereas I would like only the entries for the word selected to appear. Thanks in advance for any help; do say if you need more info. I am attempting to get my email form with file attachment to work. Apparently the file is not reaching getting to the validation portion of the page I have switched $_FILES['X'] on line 203 from file to fakefile as they are labeled in the form also I am employing css hacks to change the input file upload field to have a custom button example -> http://visualrealityink.com/dev/clients/arzan/snell_form_final/form.php here is my code I appreciate any help Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style> #form_container{ display:block; position:absolute; width:610px; min-height:450px; background:#f8f8f8; padding: 5px 5px 5px 5px; font-family:Arial, Helvetica, sans-serif; font-size:14px; } #form { min-height:450px; width:100%; background:#ececec; padding:0 0 0 0; } #formheader { background:url(images/form2_08.png) no-repeat #2f2f2f; margin:0 0 0 0; padding:0 0 0 0; width:631; height:30px;} form{margin:35px 0 0 35px;} fieldset div { margin:0.3em 0; clear:both; } label { float:left; width:10em; text-align:left; margin-right:1em; font-family:Arial, Helvetica, sans-serif; font-size:14px; } input { padding:0.15em; margin:0 0 0 -110px; width:300px; background:url(images/inputbg.png) no-repeat; border:0px solid #ddd; background:#fafafa; -moz-border-radius:0.4em; -khtml-border-radius:0.4em; } .bg2{background:url(images/inputbg.png) no-repeat; height:28px; line-height:28px;} fieldset { border:0px solid #ddd; padding:0 0.5em 0.5em; margin:0 0 0 -100px; } #details{font-size:10px;} #logo{background:url(images/form2_11.png) no-repeat; width:189px; height:238px; margin:-200px 0 0 400px; position:absolute;} #submit{margin:14px 0 0 -5px; border:none; position:absolute; cursor:pointer; cursor:hand;} #reset{border:none; margin:14px 0 0 115px; position:absolute; cursor:pointer; cursor:hand; } #divinputfile{ background:url(images/form2_27.png) no-repeat 100% 1px; height:43px; line-height:43px; width:340px; }#divinputfile #filepc{ opacity: 0.0; -moz-opacity: 0.0; filter: alpha(opacity=00); font-size:18px; margin:0 0 0 0; cursor:hand; cursor:pointer; } #fakeinputfile{ margin-top:-28px; } #fakeinputfile #fakefilepc{ background:url(images/inputbg2.png) no-repeat; style:none; width:240px; height:28px; line-height:28px; border:0; margin:5px 0 0 0; font-size:18px; font-family:Arial; } button { cursor: hand; cursor: pointer; padding: 0px; margin: 0 0 0 0; } a.link_button{ cursor: hand; cursor: pointer; } .fileupload{ margin:0 0 0 50px; } input[type="file"] { cursor: pointer; } .error{font-size:9px; font-family:Arial, Helvetica, sans-serif; color:#F00; } .error ul { text-decoration: none; list-style: none; } .error li { color: #F00;} .captcha_form { margin: 0 0 0 -45px; width:235px; } #captchaimage{ padding:0 0 10px 0;} .small { font-size:9px;} </style> </head> <body> <?php if ($_POST['_submit_check']) { // If validate_form( ) returns errors, pass them to show_form( ) if ($form_errors = validate_form()) { show_form($form_errors); } else { // The submitted data is valid, so process it process_form(); } } else { // The form wasn't submitted, so display show_form(); } function show_form($errors = '') { // If the form is submitted, get defaults from submitted parameters if ($_POST['_submit_check']) { $defaults = $_POST; } else { // Otherwise, set our own defaults: medium size and yes to delivery $defaults = array('IssueDate' => '','ExpiryDate' => ''); } if ($errors) { $error_text = 'You need to correct the following errors:'; $error_text .= '<br /><ul>'; $error_text .= implode('<li>',$errors); $error_text .= '</li></ul>'; } else { // No errors? Then $error_text is blank $error_text = ''; } include 'formhelpers.php' ?> <div id="form_container"> <div id="form"> <br /> <div id="formheader"> </div> <form method="POST" action="<?php print $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data"> <span class="error"> <?php print $error_text ?> </span> <input type="hidden" name="_submit_check" value="1"/> <div> <label for="name">Name: </label> <?php input_text('name', $defaults) ?> </div> <div> <label for="email">Email:</label> <?php input_text('email', $defaults) ?> </div> <div> Attach Resume: <span class="small">(1MB : PDF : DOC : DOCX : TXT)</span> </div> <div> <!--<input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> <label for="userfile"></label> <input type="file" name="userfile" id="userfile"/> </div>--> <div id="divinputfile"> <input name="file" type="file" size="30" id="filepc" onchange="document.getElementById('fakefilepc').value = this.value;"/> <div id="fakeinputfile"> <input name="fakefile" type="text" class="link_button" id="fakefilepc" /> </div> </div> <div id="captchaimage"><img id="captcha" src="/securimage/securimage_show.php" alt="CAPTCHA Image" /></div> <div><label for="email"><a style="text-decoration: none" href="#" onclick="document.getElementById('captcha').src = 'securimage/securimage_show.php?' + Math.random(); return false">New Captcha: </a></label> <input type="text" name="captcha_code" class="captcha_form" size="10" maxlength="6" /> </div> <button type="submit" value="submit" id="submit" ><img src="images/form2_33.png" /></button> <button type="reset" value="reset" id="reset" ><img src="images/form2_37.png" /></button> </form> </div> <div id="logo"></div> </div> </div> <?php } function validate_form() { $errors = array( ); // name is required if ($_POST['name'] == "") { $errors[ ] = 'Please enter your name.'; } if (! strlen(trim($_POST['email']))) { $errors[ ] = 'Please enter your Email.'; } if (! preg_match('/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i', $_POST['email'])) { $errors[ ] = 'Please enter a valid e-mail address'; } $filename=$_FILES['file']['name']; //For size if($_FILES["file"]["size"]>1000000) //1 mb { $errors[ ] = "File size should be less than 1MB"; } // for extention $ext = end(explode('.', $filename)); if($ext=='doc' || $ext=='txt' || $ext=='pdf' || $ext=='docx' ) { echo "write the code to upload file"; $max_allowed_file_size = 1024; // size in KB $name_of_uploaded_file = basename($_FILES['file']['name']); //get the file extension of the file $type_of_uploaded_file = substr($name_of_uploaded_file, strrpos($name_of_uploaded_file, '.') + 1); $size_of_uploaded_file = $_FILES["file"]["size"]/1024;//size in KBs //copy the temp. uploaded file to uploads folder $upload_folder = 'upload/'; $path_of_uploaded_file = $upload_folder . $name_of_uploaded_file; $tmp_path = $_FILES["file"]["tmp_name"]; if(is_uploaded_file($tmp_path)) { if(!copy($tmp_path,$path_of_uploaded_file)){ echo 'error while copying the uploaded file'; die(); } } } else { $errors[ ] = "Only doc or pdf or txt file is allowed: $filename "; } return $errors; } function process_form() { $image = "http://www.visualrealityink.com/dev/clients/arzan/snell_form/images/email.png"; include_once('Mail.php'); include_once('Mail_Mime/mime.php'); $to = 'george@visualrealityink.com'; $text = $image . "<br />" . $values['name'] . "submitted a resume on our website. Please review the applications and contact the candidate if their resume is a fit for any open opportunities with the company. <br><br> Thank you. <br><br> SEI Team"; $message=new Mail_mime(); $message=setTXTBody($text); $message=addAttachment($path_of_uploaded_file); $body = $message->get(); $extraheaders = array("From"=>$formValues['email'], "Subject"=>$subject, "Reply-To"=>$formValues['email']); $headers = $message->headers($extraheaders); $mail = Mail::factory("mail"); $mail->send($to, $headers, $body); echo "email sent"; } ?> </body> </html> Can this be done easily enough with php? I've attached my current code below, but don't see how i could add this in. Code: [Select] $name = $_FILES['file']['name']; $temp = $_FILES['file']['tmp_name']; $size = $_FILES['file']['size']; $random = md5(uniqid(rand(), true)); $random = substr($random, 0, 20); if (!$name || !$temp || !$size) { echo "Go back and select a file."; exit(); } foreach ($_FILES as $file) { if ($file['tmp_name'] != null) { $thisext1=explode(".", strtolower($file['name'])); $thisext=$thisext1[count($thisext1)-1]; if (!in_array($thisext, $extensions)) { echo "That file type is not allowed."; exit(); } } } Hi, I want that user can only read my article but can't download it. neither with save page as or with view source, even not with selecting text. and copy and paste. is there any solution in php to do that. Please help Thanks Hi guys, I am making a site where users upload files (like images, pdfs, etc) to the server. My question is, how does Facebook handle file permissions, restricting access to files uploaded to their servers based on what a user sets? Because I need to implement a similar thing and have no idea how to do it in a clean way. I have had two thoughts on storing the files 1) in a DB or 2) in a folder out of the wwwroot, which would prevent access by anyone without knowing the path (or some such) but it is the more "real" permissions implementation I am stuck on. I obviously would like to achieve this with PHP and MySQL(i). Any help is much appreciated. Cheers in advance. Is it possible to allow a script running on another server to write/read a specific file on my server? I can set file permissions, but not having any luck with file paths due to php5 blocking http:// urls. Hello everybody , This is my first topic here and I hope I will find the solution for my problem. I want to restrict access to file (for exemple: http://www.mysite.com/files/file0000.zip) to a just a specific IP that will be read from the database. And also store all other IPs trying to access this file. Can this be done, maybe through some php and htaccess? Thank you for any help or any other ideas. I have a file that an ajax function calls on my site, and I want to make sure only the right pages access it. For example. I have page called home (home.php) and on that page i have an ajax call, which calls a file called ajax.php. I want to make sure that when ajax.php is being executed, it is being executed via an ajax call, which is coming from the home page. is this possible? Hi By the the way the server this site is hosted on is flipping fast! I'm still a php beginner. I have a php file, the entire code is he <?php get_header(); ?> <?php if(!is_paged()) { ?> <div id="top" class="clearfloat"> <div id="headline"> <?php if ( function_exists('show_nivo_slider') ) { show_nivo_slider(); } ?> </div> <div id="featured"> <?php if ( !function_exists('dynamic_sidebar') || !dynamic_sidebar(8) ) : ?> <?php endif; ?> </div> </div> <div id="middle" class="clearfloat"> <?php $display_categories = array(7, 13, 17, 18, 1528); $i = 1; foreach ($display_categories as $category) { ?> <div id="cat-<?php echo $i; ?>" class="category"> <?php query_posts("showposts=1&cat=$category")?> <span class="cat_title"><a href="<?php echo get_category_link($category);?>"><?php single_cat_title(); ?></a></span> <a href="<?php echo get_category_link($category);?>"></a> </div> <?php $i++; ?> <?php } ?> </div> <?php } ?> <div id="bottom" class="clearfloat"> <div id="front-list"> <?php $page = (get_query_var('paged')) ? get_query_var('paged') : 1; query_posts("cat=-27,-28&paged=$page&posts_per_page=10"); ?> <?php while (have_posts()) : the_post(); ?> <div class="clearfloat"> <h3 class=cat_title><?php the_category(', '); ?> »</h3> <div class="title"><a href="<?php the_permalink() ?>" rel="bookmark"><?php the_title(); ?></a></div> <div class="meta">[<?php the_time('j M Y') ?> | <?php comments_popup_link('No Comment', 'One Comment', '% Comments');?> | <?php if(function_exists('the_views')) { the_views(); } ?>]</div> <div class="spoiler"> <?php $values = get_post_custom_values("Image"); if (isset($values[0])) { ?> <a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"> <img src="<?php echo bloginfo('template_url'); ?>/scripts/timthumb.php?src=/<?php $values = get_post_custom_values("Image"); echo $values[0]; ?>&w=150&h=150&zc=1&q=100" alt="<?php the_title(); ?>" class="left" width="150px" height="150px" /></a> <?php } ?> <?php the_excerpt(); ?> </div> </div> <?php endwhile; ?> <div class="navigation"> <?php if(function_exists('wp_pagenavi')) { wp_pagenavi(); } else { ?> <div class="right"><?php next_posts_link('Next Page »') ?></div> <div class="left"><?php previous_posts_link('« Previous Page') ?></div> <?php } ?> </div> </div> <?php get_sidebar(); ?> </div> <?php get_footer(); ?> I want to remove the following block on line 19 to 33 because I don't need it: <?php $display_categories = array(7, 13, 17, 18, 1528); $i = 1; foreach ($display_categories as $category) { ?> <div id="cat-<?php echo $i; ?>" class="category"> <?php query_posts("showposts=1&cat=$category")?> <span class="cat_title"><a href="<?php echo get_category_link($category);?>"><?php single_cat_title(); ?></a></span> <a href="<?php echo get_category_link($category);?>"></a> </div> <?php $i++; ?> <?php } ?> </div> <?php } ?> But when I remove that I get the error, unexpected end of file error and references to <?php get_footer(); ?> I need to understand why this is happening, not just how to fix it (although I need that too). My suspicion is one of the endif's. |
|||||||