Jump to content

[SOLVED] Preventing direct access to PHP files with Jquery tabs?


Recommended Posts

you could set a session variable in index.php and check to see that it's set in 1.php (then immediately unset it) else you redirect to 404

 

Giving this a try at the moment. Haven't used sessions that often but it seems that may do the trick.

at the top of index.php:

 

<?php
session_start();
$_SESSION['FromIndex'] = 'yes';
?>

 

then at the top of 1.php:

 

<?php
session_start();
if ( $_SESSION['FromIndex'] != 'yes' )
  {
      header("Location: 404.php");
  }
unset($_SESSION['FromIndex']);
?>

 

sorry i replied so late, I had to go run a quick errand.

 

that code should work.  it's not the most elegant solution, but if it works...

at the top of index.php:

 

<?php
session_start();
$_SESSION['FromIndex'] = 'yes';
?>

 

then at the top of 1.php:

 

<?php
session_start();
if ( $_SESSION['FromIndex'] != 'yes' )
  {
      header("Location: 404.php");
  }
unset($_SESSION['FromIndex']);
?>

 

sorry i replied so late, I had to go run a quick errand.

 

that code should work.  it's not the most elegant solution, but if it works...

 

lol no worries man. You've been more then helpful. I immediately went to the php session docs to whip up a solution. I'm about to put the finishing touches on my learning website to finally get this out of the way. I had to learn passing cookies before the website went live anyhow so I'm glad I'm forced into it. I've been putting off the website for a while now because I've already moved on to the projects I wanted to start before I began learning PHP. :)

 

Anyways here's what I came up with:

 

Inside index.php

session_start();
$string = "abc"; 
$key = hash_hmac('ripemd160', $string, '1234567890');
$_SESSION['key']=$key; 

 

1.php

session_start();
if(!isset($_SESSION['key'])) {
      header("Location: 404.php");
}

 

Obviously the hash_hmac part is unnecessary but it's something I could use down the line by bringing in random code from my DB based on some random changing value. I was thinking time or something of that nature but for now that's more then enough.

 

It will never be a perfect solution because even that above I can easily simulate a curl call to grab the cookie along with the info needed. I've noticed a few forums beginning to use JS to salt the session ID before its being passed which gave me a bit of difficulty to fool but I'm chalking it up to my skill set rather then being a foolproof solution. I've realized if they want it they'll get it. :)

 

thanks a million 5kyy8lu3.

 

 

no problem man, glad I was somewhat helpful lol

 

as far as spoofing it, you could use this as the key:

 

md5($_SERVER['REMOTE_ADDR']);

 

that way it's a hash of their ip address, which would be hard to know just from seeing the hash.

 

just an idea to throw out there, it's what I use, it's dynamic yet it works.

no problem man, glad I was somewhat helpful lol

 

as far as spoofing it, you could use this as the key:

 

md5($_SERVER['REMOTE_ADDR']);

 

that way it's a hash of their ip address, which would be hard to know just from seeing the hash.

 

just an idea to throw out there, it's what I use, it's dynamic yet it works.

 

Damn. Great idea.

 

Thx

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.