Jump to content

Recommended Posts

I have a data page(imcs.php) that contains xml data that used in a flash map on locator.php.

 

I need a way to protect imcs.php to where someone cannot access it directly. I tried putting an if statement on imcs.php to see if the http_referrer is locator.php, but it did not work on several computers.

 

Is there another way of protecting imcs.php?

 

 

 

locator.php:

<script type="text/javascript">
var uid = new Date().getTime();
var flashProxy = new FlashProxy(uid, 'us/with_javascript/js/JavaScriptFlashGateway.swf');
    var tag = new FlashTag('us/us.swf?data_file=us/imcs.php', 480, 325);
    tag.setFlashvars('lcId='+uid);
    tag.write(document);
</script>

 

 

and part of imcs.php:

 

<?xml version="1.0" encoding="iso-8859-1"?>
<us_states>

<state id="range">
<data>0</data>
<color>000000</color>
</state>

<state id="outline_color">
<color>777777</color>
</state>
<state id="default_color">
<color>000000</color>
</state>
<state id="background_color">
<color>D2D2CA</color>
</state>
<state id="default_point">
	<color>ca6011</color>
	<size>2</size>
</state>
<state id="scale_points">
	<data>50</data>
</state>


<?php
   	require '../connect/data.php';
//........................

 

Link to comment
https://forums.phpfreaks.com/topic/174318-securing-a-page/
Share on other sites

I don't think there is a solution for this. If you have a file in a publicly accessible directory there is no foolproof way to secure it. The problem is that the file must be publicly accessible because it needs to be accessible to the user's browser - and I'm no expert on Flash, but I suspect the file may also be getting saved to the user's cache. There are plenty of tricks/hacks that you could use (obfuscating the code, checking headers, etc). But, it will not be foolproof, and anyone who really wants the content will be able to get it.

Link to comment
https://forums.phpfreaks.com/topic/174318-securing-a-page/#findComment-918888
Share on other sites

You need to start a session on locator.php and set some session variable to some value, then in imcs.php resume the session and check if that session variable exists and only output the xml if it is. This will at least require that someone visits locator.php before requesting the imcs.php page.

 

Since imcs.php is requested by a public page anyway, what harm is there if it gets requested directly? What problem are you having that you are trying to solve? There might be a better solution.

Link to comment
https://forums.phpfreaks.com/topic/174318-securing-a-page/#findComment-918891
Share on other sites

It is common practice to contain any sensitive data (such as usernames and passwords for database connection) in a separate file stored outside of the public_html folder (making it inaccessible from a web browser) then referencing that from the file you need to use it with via a require_once() statement.

 

Would this approach work?

 

Note: There may be some settings in php.ini relating to calling scripts outside of the public html folder, but I am not certain on this, best to check the manual (or Google).

 

Also it's best to use absolute referencing for folder/file addressing.

Link to comment
https://forums.phpfreaks.com/topic/174318-securing-a-page/#findComment-918897
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.