如何防止直接访问PHP页面?

时间:2022-11-11 22:20:57

Below is a javascript snippet that I am using as part of a AJAX script. How do I prevent user_back_end_friends.php from being accessed directly? I don't want people to be able to go to domain.com/user_back_end_friends.php and see a list of friends.

下面是我作为AJAX脚本的一部分使用的javascript片段。如何防止直接访问user_back_end_friends.php?我不希望人们能够访问domain.com/user_back_end_friends.php并查看朋友列表。

Javascript Code:

<script type="text/javascript">
    $(document).ready(function() {
        $("#user_friends").tokenInput("/user_back_end_friends.php", {
            theme: "sometheme", userid: "<?php echo $id; ?>"
        });
    });
</script>

This is what I found but not sure how to implement it with the javascript code above:

这是我发现但不确定如何使用上面的javascript代码实现它:

I use this in the page I need to call it in:

我在需要调用它的页面中使用它:

$included=1;include("user_back_end_friends.php");

When I have to prevent direct access I use:

当我必须阻止直接访问时,我使用:

if(!$included){ die("Error"); }

But how do I add this $included part of the script in my javascript code?

但是如何在我的javascript代码中添加这个$ include部分脚本?

3 个解决方案

#1


11  

There is no point in protecting javascript code, you need to protect only the server-side code.

保护javascript代码毫无意义,您只需要保护服务器端代码。

Anyway, I think your approach is not the right one; if you already have a logged-in user / a user ID, I would just use the user ID from the session instead of a user ID that is supplied by the javascript. That way there is no way anybody can tamper with it.

无论如何,我认为你的方法不正确;如果您已经有登录用户/用户ID,我只会使用会话中的用户ID而不是javascript提供的用户ID。这样,任何人都无法篡改它。

So you could start your page with:

所以你可以用以下内容开始你的页面

session_start();
if (isset($_SESSION['user_id'))
{
  // do stuff with the user ID
}
else
{
  // display error message?
}

#2


0  

You cannot completely block access to this script by the very nature of the web.

您无法通过Web的本质完全阻止对此脚本的访问。

You can check for referrer information, input validation, you could create a session variable on the parent page that's checked on the child page.

您可以检查引用者信息,输入验证,您可以在子页面上检查的父页面上创建会话变量。

#3


0  

I have done the following. Note that this is NOT the most secure, as other answers have mentioned, you can't completely block access to this script (link to an easy bypass is provided), but for my simple purposes this that worked very well -

我做了以下事情。请注意,这不是最安全的,正如其他答案所提到的,您无法完全阻止对此脚本的访问(提供了一个简单的旁路链接),但为了我的简单目的,这非常有效 -

define('_REFERURL',              'http://www.example.com');            // This is the full URL of your domain that will be calling your PHP script(s)

Then create a function that checks the referring URL (which should be from your domain)

然后创建一个检查引用URL(应该来自您的域)的函数

function allow_user()
{
        if ($_SERVER['HTTP_REFERER'] == _REFERURL)
        {
                return true;
        }
        else
        {
                return false;
        }
}

Use:

if (allow_user())
{
     // Do things
}
else
{
     // Alert, direct access attempted
}

Easy by pass: http://www.datatrendsoftware.com/spoof.html

轻松通过:http://www.datatrendsoftware.com/spoof.html

#1


11  

There is no point in protecting javascript code, you need to protect only the server-side code.

保护javascript代码毫无意义,您只需要保护服务器端代码。

Anyway, I think your approach is not the right one; if you already have a logged-in user / a user ID, I would just use the user ID from the session instead of a user ID that is supplied by the javascript. That way there is no way anybody can tamper with it.

无论如何,我认为你的方法不正确;如果您已经有登录用户/用户ID,我只会使用会话中的用户ID而不是javascript提供的用户ID。这样,任何人都无法篡改它。

So you could start your page with:

所以你可以用以下内容开始你的页面

session_start();
if (isset($_SESSION['user_id'))
{
  // do stuff with the user ID
}
else
{
  // display error message?
}

#2


0  

You cannot completely block access to this script by the very nature of the web.

您无法通过Web的本质完全阻止对此脚本的访问。

You can check for referrer information, input validation, you could create a session variable on the parent page that's checked on the child page.

您可以检查引用者信息,输入验证,您可以在子页面上检查的父页面上创建会话变量。

#3


0  

I have done the following. Note that this is NOT the most secure, as other answers have mentioned, you can't completely block access to this script (link to an easy bypass is provided), but for my simple purposes this that worked very well -

我做了以下事情。请注意,这不是最安全的,正如其他答案所提到的,您无法完全阻止对此脚本的访问(提供了一个简单的旁路链接),但为了我的简单目的,这非常有效 -

define('_REFERURL',              'http://www.example.com');            // This is the full URL of your domain that will be calling your PHP script(s)

Then create a function that checks the referring URL (which should be from your domain)

然后创建一个检查引用URL(应该来自您的域)的函数

function allow_user()
{
        if ($_SERVER['HTTP_REFERER'] == _REFERURL)
        {
                return true;
        }
        else
        {
                return false;
        }
}

Use:

if (allow_user())
{
     // Do things
}
else
{
     // Alert, direct access attempted
}

Easy by pass: http://www.datatrendsoftware.com/spoof.html

轻松通过:http://www.datatrendsoftware.com/spoof.html