jakebur01 Posted September 15, 2009 Share Posted September 15, 2009 I have a data page(imcs.php) that contains xml data that used in a flash map on locator.php. I need a way to protect imcs.php to where someone cannot access it directly. I tried putting an if statement on imcs.php to see if the http_referrer is locator.php, but it did not work on several computers. Is there another way of protecting imcs.php? locator.php: <script type="text/javascript"> var uid = new Date().getTime(); var flashProxy = new FlashProxy(uid, 'us/with_javascript/js/JavaScriptFlashGateway.swf'); var tag = new FlashTag('us/us.swf?data_file=us/imcs.php', 480, 325); tag.setFlashvars('lcId='+uid); tag.write(document); </script> and part of imcs.php: <?xml version="1.0" encoding="iso-8859-1"?> <us_states> <state id="range"> <data>0</data> <color>000000</color> </state> <state id="outline_color"> <color>777777</color> </state> <state id="default_color"> <color>000000</color> </state> <state id="background_color"> <color>D2D2CA</color> </state> <state id="default_point"> <color>ca6011</color> <size>2</size> </state> <state id="scale_points"> <data>50</data> </state> <?php require '../connect/data.php'; //........................ Quote Link to comment Share on other sites More sharing options...
Psycho Posted September 15, 2009 Share Posted September 15, 2009 I don't think there is a solution for this. If you have a file in a publicly accessible directory there is no foolproof way to secure it. The problem is that the file must be publicly accessible because it needs to be accessible to the user's browser - and I'm no expert on Flash, but I suspect the file may also be getting saved to the user's cache. There are plenty of tricks/hacks that you could use (obfuscating the code, checking headers, etc). But, it will not be foolproof, and anyone who really wants the content will be able to get it. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 15, 2009 Share Posted September 15, 2009 You need to start a session on locator.php and set some session variable to some value, then in imcs.php resume the session and check if that session variable exists and only output the xml if it is. This will at least require that someone visits locator.php before requesting the imcs.php page. Since imcs.php is requested by a public page anyway, what harm is there if it gets requested directly? What problem are you having that you are trying to solve? There might be a better solution. Quote Link to comment Share on other sites More sharing options...
gr1zzly Posted September 15, 2009 Share Posted September 15, 2009 It is common practice to contain any sensitive data (such as usernames and passwords for database connection) in a separate file stored outside of the public_html folder (making it inaccessible from a web browser) then referencing that from the file you need to use it with via a require_once() statement. Would this approach work? Note: There may be some settings in php.ini relating to calling scripts outside of the public html folder, but I am not certain on this, best to check the manual (or Google). Also it's best to use absolute referencing for folder/file addressing. Quote Link to comment Share on other sites More sharing options...
Psycho Posted September 15, 2009 Share Posted September 15, 2009 @gr1zzly, The file is being "included" from the client browser from within script tags. Therefore the file must be within a web accessible folder. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.