PHP define not working with jquery load

[charles07]

I have a main file index.php into which iam loading myinnerpage.php. I have defined a variable inside index.php & checks it on myinnerpage.php, but when i load innerpage it shows restricted access, any idea why? following is my code.

 

index.php

<?php
    define( '_JEXEC', true ); 
?>
<div class="mypage">
</div>
<ul>
    <li><a href="#" onclick="loadpages('myiinerpage.php')">about page</a></li>   
</ul>

<script type="text/javascript">
    var $jq = jQuery.noConflict();
    function loadpages(page)
    {
        $jq('.mypage').load('myfolder/'+page);
    }
    
</script>

 

and now in the myiinerpage.php which is in the folder myfolder i have the following code.

 

<?php
defined('_JEXEC') or die('Restricted access');
?>

<div>
my page elements
</div>

 

 

but when i click on the link it shows restricted access. I have loaded jquery too, any idea y this is happening?

[AyKay47]

this is most likely do to the DOM injection of "myinnerpage.php" using jquery after run time. I'm am not 100% sure on this, since I cannot find any documentation on the matter. However the behavior of JavaScript injected documents is much different than the behavior of pages that were say included into the page using PHP.

Also, what is the purpose of using noConflict() here? Just out of curiosity.

[Psycho]

The problem is that the definition you set in index.php will not exist in myinerpage.php because it is a separate script execution. The AJAX is a separate page request. It is no different than if you clicked a link to go to another page - any variables defined in the previous page will not exist in the next page. You could either set a session variable to check or you could write the value of _JEXEC as a JavaScript variable and append it to the AJAX call so you can check in within the $_GET array

[charles07]

guys finally i found a solution, hope this is right, please contribute your ideas

 

In my main index.php i changed function to this

function loadpages(page)
    {
        var myvalue = "myvalue ";
        $jq('.mypage').load('myfolder/'+page,myvalue+"="+myvalue);
    }

 

and in the myiinerpage.php i added a piece of code like this

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

 

i used $_SERVER['HTTP_REFERER'] just incase someone tries to access the page by directly typing the get value in url,

also AyKay47  noConflict() is not necessary here, i just forgot to delete it.

[Psycho]

and in the myiinerpage.php i added a piece of code like this

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

 

i used $_SERVER['HTTP_REFERER'] just incase someone tries to access the page by directly typing the get value in url

 

Why are you not using session values? That is pretty "weak" security if that is your goal. A user could simply put a link into an HTML page with the full URL and the HTTP_REFERER will have a value. A session value will persist across all page requests and takes zero management - i.e. you don't need to append the value to query string and make sure it persists from page request to page request. All you need to do is put session_start(); at the top of any page that you need to set/access the session values.

 

In index.php you would have something like

    session_start();
    $_SESSION['JEXEC'] = true; 

 

Then in the page myinerpage.php you would have

    session_start();
    if(!isset($_SESSION['JEXEC']) || !$_SESSION['JEXEC']) die("Access denied");

 

Then you do not need anything in the JavaScript/AJAX code.

[charles07]

thanks mjdamato

 

i tried session values, but there are some issues

 

for e.g. when  iam opening http://localhost/index.php page $_SESSION['JEXEC'] is set to true.

 

then i could access http://localhost/myproject/myfolder/myiinerpage.php directly by typing it on the URL since session is already set.

 

my goal is to block direct access of http://localhost/myproject/myfolder/myiinerpage.php

 

------------------------------------------------------------------

also i don' think this would work '  A user could simply put a link into an HTML page with the full URL and the HTTP_REFERER will have a value '  i tried like you have told i.e .http://localhost/myproject/myfolder/myiinerpage.php, but the page said Access denied with the following code in the myiinerpage.

php page

 

if($_GET['myvalue '] == '' || $_SERVER['HTTP_REFERER'] == '')die("Access denied");

[Psycho]

Did you just create an HTML file on your computer and run it or did you put the file on a web server and access it via http?

 

i tried session values, but there are some issues

 

for e.g. when  iam opening http://localhost/index.php page $_SESSION['JEXEC'] is set to true.

 

then i could access http://localhost/myproject/myfolder/myiinerpage.php directly by typing it on the URL since session is already set.

 

my goal is to block direct access of http://localhost/myproject/myfolder/myiinerpage.php

What do you mean "direct access" a JQuery request is direct access. If the page is not supposed to be accessed directly and should only be include()ed in other PHP files then simply put the file outside the publicly accessible web directory. But, if your goal is only to allow the file to be accessed via AJAX you can put a ton of work into it and it would never be foolproof. The server doesn't know an AJAX request vs. a normal browser request and all of the data sent/received in either case is easily spoofed.