Jump to content

PHP define not working with jquery load


charles07

Recommended Posts

I have a main file index.php into which iam loading myinnerpage.php. I have defined a variable inside index.php & checks it on myinnerpage.php, but when i load innerpage it shows restricted access, any idea why? following is my code.

 

index.php

<?php
    define( '_JEXEC', true ); 
?>
<div class="mypage">
</div>
<ul>
    <li><a href="#" onclick="loadpages('myiinerpage.php')">about page</a></li>   
</ul>

<script type="text/javascript">
    var $jq = jQuery.noConflict();
    function loadpages(page)
    {
        $jq('.mypage').load('myfolder/'+page);
    }
    
</script>

 

and now in the myiinerpage.php which is in the folder myfolder i have the following code.

 

<?php
defined('_JEXEC') or die('Restricted access');
?>

<div>
my page elements
</div>

 

 

but when i click on the link it shows restricted access. I have loaded jquery too, any idea y this is happening?

Link to comment
Share on other sites

this is most likely do to the DOM injection of "myinnerpage.php" using jquery after run time. I'm am not 100% sure on this, since I cannot find any documentation on the matter. However the behavior of JavaScript injected documents is much different than the behavior of pages that were say included into the page using PHP.

Also, what is the purpose of using noConflict() here? Just out of curiosity.

Link to comment
Share on other sites

The problem is that the definition you set in index.php will not exist in myinerpage.php because it is a separate script execution. The AJAX is a separate page request. It is no different than if you clicked a link to go to another page - any variables defined in the previous page will not exist in the next page. You could either set a session variable to check or you could write the value of _JEXEC as a JavaScript variable and append it to the AJAX call so you can check in within the $_GET array

Link to comment
Share on other sites

guys finally i found a solution, hope this is right, please contribute your ideas

 

In my main index.php i changed function to this

function loadpages(page)
    {
        var myvalue = "myvalue ";
        $jq('.mypage').load('myfolder/'+page,myvalue+"="+myvalue);
    }

 

and in the myiinerpage.php i added a piece of code like this

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

 

i used $_SERVER['HTTP_REFERER'] just incase someone tries to access the page by directly typing the get value in url,

also AyKay47  noConflict() is not necessary here, i just forgot to delete it.

Link to comment
Share on other sites

and in the myiinerpage.php i added a piece of code like this

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

 

i used $_SERVER['HTTP_REFERER'] just incase someone tries to access the page by directly typing the get value in url

 

Why are you not using session values? That is pretty "weak" security if that is your goal. A user could simply put a link into an HTML page with the full URL and the HTTP_REFERER will have a value. A session value will persist across all page requests and takes zero management - i.e. you don't need to append the value to query string and make sure it persists from page request to page request. All you need to do is put session_start(); at the top of any page that you need to set/access the session values.

 

In index.php you would have something like

    session_start();
    $_SESSION['JEXEC'] = true; 

 

Then in the page myinerpage.php you would have

    session_start();
    if(!isset($_SESSION['JEXEC']) || !$_SESSION['JEXEC']) die("Access denied");

 

Then you do not need anything in the JavaScript/AJAX code.

Link to comment
Share on other sites

thanks mjdamato

 

i tried session values, but there are some issues

 

for e.g. when  iam opening http://localhost/index.php page $_SESSION['JEXEC'] is set to true.

 

then i could access http://localhost/myproject/myfolder/myiinerpage.php directly by typing it on the URL since session is already set.

 

my goal is to block direct access of http://localhost/myproject/myfolder/myiinerpage.php

 

------------------------------------------------------------------

also i don' think this would work '  A user could simply put a link into an HTML page with the full URL and the HTTP_REFERER will have a value '  i tried like you have told i.e .http://localhost/myproject/myfolder/myiinerpage.php, but the page said Access denied with the following code in the myiinerpage.

php page

 

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

Link to comment
Share on other sites

Did you just create an HTML file on your computer and run it or did you put the file on a web server and access it via http?

 

i tried session values, but there are some issues

 

for e.g. when  iam opening http://localhost/index.php page $_SESSION['JEXEC'] is set to true.

 

then i could access http://localhost/myproject/myfolder/myiinerpage.php directly by typing it on the URL since session is already set.

 

my goal is to block direct access of http://localhost/myproject/myfolder/myiinerpage.php

What do you mean "direct access" a JQuery request is direct access. If the page is not supposed to be accessed directly and should only be include()ed in other PHP files then simply put the file outside the publicly accessible web directory. But, if your goal is only to allow the file to be accessed via AJAX you can put a ton of work into it and it would never be foolproof. The server doesn't know an AJAX request vs. a normal browser request and all of the data sent/received in either case is easily spoofed.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.