Jump to content

Prevent Users from Executing Anything From Browser


Kaitosoto

Recommended Posts

So I have my script that takes a lot of variables like:

 

http://www.mysite.com/script.php?id=6&pin=7654&desk=thisbigone

 

I currently get variables with $_GET in the script, which I feel is very vulnerable to abuse as users can type all that out in the address bar and change the id and pin to their advantage. My question is, how do I make it so that users cannot type all that out and execute the script in the browser address bar and forcing them to have to click on a link that is on my sites index.php in order to execute that line of code?

YOU CAN!  Just check to make sure that the referring page is from a page within your site.  If it is entered directly into the address bar, then re-direct them to an error page.  I use this technique in my online game that I'm building to keep people from typing in info and taking certain shortcuts. 

 

So for instance, let's say that your script.php file is linked to from your index page and other links within your site.  If they click any link on your page, it sets a referring page that you can get using a php script and compare the referring link to your site base (i.e., mysite.com).  If the referring page isn't from your site, redirect to an error page.  If the referring page is from your site, then let them continue.  Does that make any sense?  Here is the part of my code that does this.

 

$root = 'localhost';
$webserver = apache_request_headers();

if (!eregi($root, $webserver['Referer'])) {
  //Re-direct
  header('Location: forbidden.php');
} else {
//Allow entry to site
}

 

One thing to remember though is this.  Only include this on pages where you don't want people to access via direct links, such as bookmarks.

 

@tcollie, so what happens if the user is logged in and on a page within the site and types the information into the address bar?  The referrer will be within the site and they will have done exactly what the OP didn't want.

 

As ToonMariner pointed out, validate the data before you use it.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.