Geek Answers Handbook

How do I deny script user access directly in the url

I have a jQuery script using .live() to load the contents of this page.

 $('#content').load("content.php?" + id);

Question. How can I prevent a user from accessing the content.php file directly through a URL?

I tried putting this code on top of content.php , but Access Denied will appear in my #content div

 if (!empty($_SERVER['SCRIPT_FILENAME']) && 'content.php' == basename($_SERVER['SCRIPT_FILENAME'])) die('Access Denied');

What is the correct way to ensure that users cannot access my content.php file using a URL?

+7
source share
6 answers

You can use some kind of hashing. For example, if content.php has an id parameter; you add an additional hash parameter that contains the MD5 hash from β€œsome random string + id * 15.” In content.php you check the hash and identifier; if access is not allowed.

The calculation must be done in PHP (not ajax), because the user does not need to know the hashing of algprithmus.

Using this method, the user can find the source code and access the page directly, but you cannot completely refuse it, because the browser needs to access the page in order to show it. But the user cannot access pages that he has not accessed through ajax before. You can use some headers ( HTTP_X_REQUESTED_WITH ) to prevent most internet users from accessing the page directly, but experienced users will change the header and access it anyway.

+6
source

If you want to protect usage, you can use a single-key algorithm. Ask the server to generate the key that the page will contain in the variable or attribute. Then, in the load command, you pass the key to content.php as follows:

 key = $("{some selector to get the key}") $('#content').load("content.php?id=" + id + "key=" + key);

After the page makes a call to the server using the key, the server expires the key, which makes it unusable. This way, only active page requests will have access to your content.php file.

This method is still not a proof, but makes access to content.php difficult for the user.

+3
source

Since you are calling the resource via ajax, a possible solution sends a specific header to the request, for example HTTP_X_REQUESTED_WITH , and then defines the server side of the header as follows:

 /* AJAX check */ if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest') { die($content); }
+2
source

I suggest reading this: Ajax event detection on the server .

+1
source

Is there any other content on the main page that you could link from the content.php file to make sure that you are loading it as part of the main page and not a separate page? You can also transfer something through the session from the main page to the content.php page, and then delete the item at the end of the content.php download.

0
source

If the URL is accessible with an AJAX request, it can be accessed directly and you cannot make it. You can try to determine if the request is an AJAX request with:

 function isAjaxRequest() { return array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest'; }

and check it at the beginning of the script:

 if (!isAjaxRequest()) die('Access Denied');

but you should not rely too much on this test, because it is quite easy to circumvent.

0
source

More articles:


All Articles