Prevent unwanted uses of script

[Mamerto]

Hello all,

 

A simple question:

 

I have a HTML application from which a php script is executed. 'GET' method is used and no form is submitted.

I was wondering if there is a way to prevent users from run this php script directly in the browser.

 

Thank you all for your suggestions,

Mamer

 

 

 

[wolfcry]

Yes, you can always set the php file in a secured directory and not allow access via .htaccess.

[Andy-H]

$browser = get_browser(null, true);
if ( strtolower($browser['browser']) != 'curl' )
   exit;

[Mamerto]

Yes, you can always set the php file in a secured directory and not allow access via .htaccess.

 

 

Thanks Wolfcry,

 

but wouldn't that prevent the access from the web app too?

I am not familiar with Apache directives but I thought that restricting the access to directory would apply to the web app...

 

Mamer

 

 

 

 

[Mamerto]

 

 

Thanks Andy,

 

if I understand, what you suggest is checking whether the script is being invoked from a browser or not.

However I 'd like to prevent unwanted uses from a browser too.

I mean, I'd like the only way to run the php script was from the web app interface (http://mysite.com/webapp.html) and by no means typing directly the request on a browser (http://mysite.com/php/myscript.php?action=1).

 

Do you know any way to make a php script could distinguish between both situation?

 

Regards,

Mamer

[Psycho]

I'd like the only way to run the php script was from the web app interface (http://mysite.com/webapp.html) and by no means typing directly the request on a browser (http://mysite.com/php/myscript.php?action=1).

 

As wolfcry alluded to you can put the file into a directory that is not web accessible - i.e. it cannot be accessed via an http request. But,when you say it can only be accessed via the web app I think you mean something different than we thought. To most developers that would mean that the file would be include()d from the web app. But, you state that the web app is an HTML file, not a PHP file. I think what you mean is that you want users to always go to the main page before accessing the script in question.

 

The only way I can think to do that would require changing the main page "webapp.html" to a PHP page.

Then, on that page, create a timestamp value and use that value to set a session value and append to the URL to the secured script. In this example, I'll hash the timestamp

//Start session
session_start();

//Create timestamp value and set in session
$timestamp = time();
$_SESSION['myscript'] = $timestamp;

//Create the link to 'myscript' with an additional parameter for the timestamp
echo "<a href='http://mysite.com/php/myscript.php?action=1&code={$timestamp}'>Secured Script</a>";

 

Lastly, you would need to modify the myscript.php page to check the value passed in the query sting to see if it matches the value in the session var. If they match, show the page. Else, don't show the page. you can show an error message or redirect the user back to the main page.

session_start();

if(!isset($_SESSION['mypage']) || $_SESSION['mypage'] != $_GET['code'])
{
    die('Access denied');
}

//Rest of script follows

[Andy-H]

Just place the file under the public directory (i.e. if your public dir was /opt/user/xampp/htdocs - place the file in /opt/user/xampp, then call it from htdocs/index.php using

 

 

include '../filename.php';

[laffin]

Set up a variable/constant which tells subscripts they are being called from another script

<?php
define('IN_PAGE','index');
include('sub.php');

 

<?php
if(!defined('IN_PAGE'))
    die('can not execute this script directly');

 

[Mamerto]

 

 

Thank you all guys,

 

I really needed some advice and your suggestions have helped a lot.

I might have to re-think the whole application.

 

Best regards,

Mamer