markthien Posted February 27, 2009 Share Posted February 27, 2009 Hi, i store all my php scripts under /bin folder like process-signup.php. if user directly go to http://www.menggaris.com/bin/process-signup.php, then the script will eventually executed and data will be saved into database. user should go to signup.php first. how can I prevent this situation from happening? I am wondering like is there anyway to detect if user directly access process-signup.php instead of accessing from signup.php Thanks & regards, Mark Quote Link to comment Share on other sites More sharing options...
valtido Posted February 27, 2009 Share Posted February 27, 2009 try if (stristr(htmlentities($_SERVER['PHP_SELF']), "process-signup.php")) { header("Location: hackAttempt.php"); exit(); } im not sure it will be 100% safe but phpbb script uses that Quote Link to comment Share on other sites More sharing options...
valtido Posted February 27, 2009 Share Posted February 27, 2009 oh forgot to mention that it should be at the very top of the page lol otherwise ppl can still see wotever its above it. Quote Link to comment Share on other sites More sharing options...
phpdragon Posted February 27, 2009 Share Posted February 27, 2009 setup a session variable on signup.php and do a header redirect if the variable is not set in your process_signup.php script Quote Link to comment Share on other sites More sharing options...
valtido Posted February 27, 2009 Share Posted February 27, 2009 thats not a good idea. because i could open the setup.php on one window and then process-setup.php on another. Quote Link to comment Share on other sites More sharing options...
markthien Posted February 27, 2009 Author Share Posted February 27, 2009 someone said that preferably the php script should put outside the document root. How should I put the process-signup.php outside the document root folder? for example, consider the following code : <form id="signup_form" action="bin/process-signup.php" method="post"> <input type="text" name="name" id="name"/> <input type="text" name="email" id="email"/> <input type="submit" value="submit" name="submit" id="submit"/> </form> and my document root path is /home/webadministrator/www/root/ and all my php script is under /home/webadministrator/www/root/bin and now if I put process-signup.php under /home/websiteadmin/www/bin how should I put the path in the html form? and I don't think I can put like this? <form id="signup_form" action="/home/websiteadmin/www/bin/process-signup.php" method="post"> regards, Mark Quote Link to comment Share on other sites More sharing options...
laffin Posted February 27, 2009 Share Posted February 27, 2009 My Suggestion is avoid sessions/cookies. the PHP_SELF var is a good idea as well as using a constant in yer main pages so in yer included files, a simple check for the constant can break with an error main.php <?php define('PAGE','main'); include('includes.php'); ?> Success includes.php <?php if(!defined('PAGE')) { die('Illegal Access'); } // Rest of include ?> Very simple technique Nice thing about it, is that u dont need to do a page lookup against PHP_SELF. Good Luck Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted February 27, 2009 Share Posted February 27, 2009 An alternative is to specify which directories or files you don't want access to in a htaccess file Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.