Jump to content

Recommended Posts

Hello.. I have a page that contains a flash map called locator.php. This map pulls data from a page called ims.php.

 

I am wanting to protect our dealer list. We do not want someone to see ims.php in the source code and try to pull that page up in their browser directly.

 

Is their any way we could have ims.php check to see if locator.php is the one requesting the page.

ex. if page requester == locator.php

then display data

else display nothing

Link to comment
https://forums.phpfreaks.com/topic/173594-solved-page-protection/
Share on other sites

That did not work.

 

Here is the flash map code on locator.php:

<script type="text/javascript">
var uid = new Date().getTime();
var flashProxy = new FlashProxy(uid, 'us/with_javascript/js/JavaScriptFlashGateway.swf');
    var tag = new FlashTag('us/us.swf?data_file=us/imcs.php', 480, 325);
    tag.setFlashvars('lcId='+uid);
    tag.write(document);
</script>

 

and part of imcs.php:

<?xml version="1.0" encoding="iso-8859-1"?>
<us_states>

<state id="range">
<data>0</data>
<color>000000</color>
</state>

<state id="outline_color">
<color>777777</color>
</state>
<state id="default_color">
<color>000000</color>
</state>
<state id="background_color">
<color>D2D2CA</color>
</state>
<state id="default_point">
	<color>ca6011</color>
	<size>2</size>
</state>
<state id="scale_points">
	<data>50</data>
</state>


<?php
   	require '../connect/data.php';
//........................

 

 

Try this out:

 

<?php

    if($_SERVER['HTTP_REFERER'] != "http://www.example.com/locator.php") {
        die("Go away");
    }

?>

 

And just change http://www.example.com to your domain). Call echo $_SERVER["HTTP_REFERER"]; to find out exactly what you need to put in there.

 

Combine this with the define('AUTH_TOKEN',1); method suggested by sKunKbad and you're (almost) all set!

 

And also, don't use die() in your final script. Output a pretty error message rather than a flat-out die() call. There's an article on phpfreaks about never using die in your scripts ;)

Try this out:

 

<?php

    if($_SERVER['HTTP_REFERER'] != "http://www.example.com/locator.php") {
        die("Go away");
    }

?>

 

And just change http://www.example.com to your domain). Call echo $_SERVER["HTTP_REFERER"]; to find out exactly what you need to put in there.

 

Combine this with the define('AUTH_TOKEN',1); method suggested by sKunKbad and you're (almost) all set!

 

And also, don't use die() in your final script. Output a pretty error message rather than a flat-out die() call. There's an article on phpfreaks about never using die in your scripts ;)

 

HTTP_REFERER doesn't always work.

i put

<?php

    if($_SERVER['HTTP_REFERER'] != "http://www.example.com/locator.php") {
        die("Go away");
    }

?>

at the top of imcs.php and everything seems to work fine. The data does not display in the browser if the page is attempted to be accessed directly and the data is still being pulled into locator.php.

 

Do I still need to implement the define('AUTH_TOKEN',1); code?

 

HTTP_REFERRER seems to not work all the time on IE, and even if it does, programs like Norton can prevent this information being sent (in case it's used in some kind of Session ID attack or something). The next best way is to set a $_SESSION on the previous page. So for example if you know that only requests from gotolocator.php should be allowed, then you can put at the bottom of gotolocator.php:

 

<?php session_start(); $_SESSION['theLastPage] = $_SERVER['PHP_SELF']; ?>

 

Then on locator.php:

 

<?php
if($_SESSION["theLastPage"] != "gotolocator.php") {
die("Go away");
} else {
unset($_SESSION["theLastPage"])
}

 

That last line of code is very important. If you don't unset() $_SESSION["theLastPage"] then I could go to "somerandompage.php" then straight back to locator.php if there is no code to overwrite or unset "theLastPage" which would still be locator.php. Dunno how serious it could be, but it pays to be extra sure!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.