Preventing Direct Access to a PHP Page, Only Access If Redirected

preventing direct access to a php page, only access if redirected

What if everytime you were going to redirect you saved a value in the $_SESSION variable. So you have

//code
$_SESSION['fromMain'] = "true";
header("Location: noaccess.php");

Then in noaccess.php put

if($_SESSION['fromMain'] == "false"){
//send them back
header("Location: foo.php");
}
else{
//reset the variable
$_SESSION['fromMain'] = "false";
}

I really don't know if this would work or not, but this is what I would try off the top of my head.

prevent direct url access to php file

You can do it with PHP

<?php
/* at the top of 'check.php' */
if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
/*
Up to you which header to send, some prefer 404 even if
the files does exist for security
*/
header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );

/* choose the appropriate page to redirect users */
die( header( 'location: /error.php' ) );

}
?>

Preventing direct access to my HTML page

First of all you need to convert your html page to php then you can set a session variable in your contact us page and then when the mail is successfully sent to the user then you can check for the this session variable's value to decide weather to redirect the user or not.

Suppose this is your contact us page.

<?php
// code for sending mail
if(the mail is sent successfully then)
{
$_SESSION["redirect_to_success"]=true;
}
?>

This can be the code on the success page

<?php
if(!isset($_SESSION["redirect_to_success"]))
{
header("location:contactus.php");
}
else
{
unset($_SESSION["redirect_to_success"]);
}
?>

Here unseting the session variable allows the use to redirect to the success page only when the mail is sent successfully. Once he/she is redirected to the success page the session variable will be unset. And also using Boolean values allows less consumption of memory

Prevent direct access to a page in WordPress

You could do it the other way around. Only accept an array of predefined urls. For example here we have defined an array with github and stackoverflow as referees. If the referring url isn't one of those two, then we kill the process. With wp_die() we can display a custom message and a backlink, and with header() we can redirect automatically after 3 seconds.

add_action( 'wp', function() {
if( is_page( '3975' ) && ! is_admin() ) { // restrict page ID '2072' if it's on the front end and if user doesn't have the permissions
$base = [ // allowed referees
'https://github.com/', // referee 1
'https://stackoverflow.com/', // referee 1 ... and so on
];
if( ! in_array( $_SERVER['HTTP_REFERER'], $base ) ) { // if not in referees
header( 'Refresh: 3; ' . esc_url( home_url() ) ); // redirect in 3 seconds
wp_die( 'Something went wrong.', NULL, $args = array( 'back_link' => true, ) ); // kills WordPress execution and displays an HTML page with an error message
exit; // terminate the current script
};
};
} );

I've had a look at a bunch of things. wp_get_referer() can't be used that way as it's specific to Wordpress

Retrieve referer from _wp_http_referer or HTTP referer. If it’s the same as the current request URL, will return false.

I'm using $_SERVER['HTTP_REFERER'] instead @ https://stackoverflow.com/a/16374737/3645650. Which does the job I thaught wp_get_referer() would do.

Allow window.location but prevent direct access to a PHP file

I'm not really sure what and why you want to do. There is no way to only allow a script to open a URL, because the browser will handle it.

Normally you should check in the files itself, if the user is allowed to use them. So you have to find a logic for you, how to tell you script, if the user should see it. Otherwise you can do some other action, like displaying an error or redirect him back to you main.php.

Just some quick ideas ...

Idea 1.) If possible, you can include() the script.php in main.php and block the direct access via .htaccess. Then you don't need a redirect and no one can access it directly.

Idea 2.) Set a session variable in main.php like $_SESSION["allow"] = true; and check this again in script.php. Afterwards set the value to false, so the next call will be fail.

Idea 3.) Add a parameter to the file call, like script.php?allow=true. But in this case, all users who know the parameter could call it.

Idea 4.) Add a custom parameter to the redirect, wich is only valid for a given time. To be simple, something like php time(). Check if the parameter is within a short time limit. But in this case, the redirect url has to be generated when the main.php file starts the redirect. Otherwise the request could be already to old.

So that are my ideas. Hope something gives you a hint how to do it.

Allow access to php file only if redirected

You can check referer, but it not secure:

loading.php

<?php
if($_SERVER['HTTP_REFERER']!=='http://yoursite/example.php')
die('Denied');

--

or you can set visited flag in session

example.php

<?php
$_SESSION['isVisitedExample'] = true;

loading.php

<?php
if(!isset($_SESSION['isVisitedExample']))
die('Denied');

--

or in cookie (not secure)

example.php

<?php
setcookie('isVisitedExample', 1);

loading.php

<?php
if(!isset($_COOKIE['isVisitedExample']))
die('Denied');

--

or mix this methods



Related Topics



Leave a reply



Submit