[SOLVED] come from one page only

[ronnie88]

is there a php code that allows only one page to be referred to it? say I am at countdown.php and it is going to another page that update the mysql db and I don't want that page accessed by any other page... any help is appreciated

[JonnyThunder]

You can set a variable on the first page, and check it's there on the second.

 

First page

    define(ALLOW_PAGE_LOAD, true);

 

 

Second page

    if (!ALLOW_PAGE_LOAD) die ("You're not allowed to view this page directly");

[ronnie88]

thanks for the reply but I am having no luck...

[MasterACE14]

whats it for exactly? I'm sure there is better alternatives. If its stop people going to the page when there not logged in. Then do a Session check. If its for admin only, Do a database authority level check... etc etc

 

 

[JonnyThunder]

My understanding was that it's so people can't access the database query page directly, without going through another page first.  in which case, the example i've given is the easiest method to use. 

 

My understanding is probably wrong though - it often is! 

[MasterACE14]

lol, well I'm thinking its probably something along the lines of a cron file, or some file that is only accessed at certain times. Which would make sense. In that case, the file should be put in the system root where it can't be touched. Or.... MD5 the file name, and MD5 the folder its in lol, and bolt it all up more secure then Alcatraz.

[JonnyThunder]

OMG - see, now I need to know what he actually wants.

 

How am I gonna sleep tonight without knowing!!!!!!  ;D

[MasterACE14]

haha, I think you're gonna have to try and sleep, cause he doesn't appear to be online anymore lol.

[ronnie88]

Jonny is right its so they can't gain access to the mysql update :s but can't get that example you gave to work

[MasterACE14]

so how do you access the page then? if no one can access it, then whats the point of having it  ???

[ronnie88]

so users can't gain access by going to the php file to run a mysql command only when you refer by a certain page..

[JonnyThunder]

What didn't work about my example??

 

[MasterACE14]

so users can't gain access by going to the php file to run a mysql command only when you refer by a certain page..

 

But are the users "logged in" to the website at the time. as in, they logged in using a form, and a session var has been set to show they are logged in. If thats the case, then its much easier to make a script to secure the mysql command file.

[ronnie88]

i probley did it wrong

i placed this into the file that is going to the protected file

<? 
define(ALLOW_PAGE_LOAD, true);
?>

and this in the target file

<?
if (!ALLOW_PAGE_LOAD) die ("You're not allowed to view this page directly");
?>

 

lol I know it was an example but I don't know how I would incorporate it  thanks

 

yea logged in using a session and all

[JonnyThunder]

It's the other way around.  You define the variable in the first page, and check the variable in the page you want to protect.

 

[MasterACE14]

well if there logged in with a session. and if you got there info in a database. grab there ID or username, whatever from the database, and on the mysql script page, check if it equals the ID or username of who you want to have access to it.

[ronnie88]

well its actually a game start your own virtual airline and manage it... they wait however long there flight is then after the timer stops it gives a link to the php file which has the mysql update and adds the cash to there cash column... Thats what I meant johnny its in the right place..

[MasterACE14]

ah I see... You can't let users refresh the page over and over again though..

[ronnie88]

yup  ???

[unkwntech]

I'm not 100% sure how  $_SERVER['HTTP_REFERER']  is handled on refresh (something I'm going to have to look at) but I would think you could just check this value.

[samshel]

I agree with unkwntech, $_SERVER['HTTP_REFERER'] is the best method to use in this case.

 

Refreshing doesnt loose the value of $_SERVER['HTTP_REFERER'].

[unkwntech]

From some testing I just did I would remit my last post and advise against using $_SERVER['HTTP_REFERER'].

I would do this on the page that does the query:

<?php
session_start()
if(isset($_SESSION['varName']))
{
   die("You're not allowed to view this page directly");
}
$_SESSION['varName'] = "123";
//do query
?>

[ronnie88]

thank you but what is the varname for what do i put in the 123...?

[unkwntech]

You could leave them as it or make them anything you want it realy doesn't matter.

[ronnie88]

I copied and pasted it in a php but i get

Parse error: syntax error, unexpected T_IF in /home/virtual/public_html/blue_sky/insert2h.php on line 3