Block direct access to a php page

Asked

Viewed 378 times

2

I’m making a login page where the user, when logging in index.php it goes to the.php dashboard. I was able to block access to the.php panel with SESSION, but if I access connected.php (where you have the database information) or login.php (where you have the query), I can access a blank page.

I used the following code in login2.php:

if(!$_SESSION['login']) {
    header('Location: index.php');
    exit();
}

If the user has not logged in, when trying to directly access the.php panel page, it is returned to index.php

I tried to do this for the connection.php and login.php, but the obvious thing is, when the user clicks on the login button, it does not exit index.php.

The login.php page and related.php is just a blank page with querys and DB-related data, but I don’t want the user to have access to them.

I tried with . htaccess but with it, the user can’t login either.

Is there any way to prevent you from directly logging in.php and connecting to.php without disrupting login and redirecting to the.php dashboard after logging in?

php htaccess session

1 answer

2


One of the ways to do this control is through PHP.

I found the solution to your problem in another Question stackoverflow.

But I will explain the functioning of the code that was chosen by the community as correct.

I made some changes to the answer code for didactic reasons.

<?php
    // Verifica o método de requisição HTTP e o local de execução do script PHP
    if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
       // Quando entrar nessa condição, significa que o usuário tentou acessar o link diretamente
       // Faça algo.
        die();    
    }

Explanation: When you try to access the link directly from your browser, in your case {$path}/login.php, you will always send a request using the HTTP GET method that will fulfill the first rule of probation.

The second rule of the conditional is checking that the file being executed (login.php) is equal to the file currently running.

In the case of making any request for your login.php, the rule will be TRUE, because the variables will have equal values.

But you can still use the method POST to receive the data in login.php and perform the authentication of your user. ( never use GET passing confidential information ).

To the question of php connection., if you are using only one include/require, you can decrease the conditional and remove the first rule that checks the HTTP method and use only the path rule.

 <?php
      // Verifica o local de execução do script PHP
      if ( realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
          // Quando entrar nessa condição, significa que o usuário tentou acessar o link diretamente    
          // Faça algo.
           die();        
        }

Because using include/require will always have different values for the two variables. If you try direct access, the variables will have equal values.

  • It worked, the.php connection page has the DB data, server, login, password, name, so I can’t use the GET method because it’s passing confidential information? Already in login.php I can use, because it is just consulting the database to check if the user and password exists?

  • 1

    Lucas, ideally, never use the GET method to send confidential information. When sending a request with the GET method, the values will be sent through Query Strings, and your url would look like this: /login.php? usuario=fulano&password=12345. This can enable someone who shouldn’t have the credentials to discover access through the URL. This is why the recommendation is always to use the POST method.

Browser other questions tagged php htaccess session

You are not signed in. Login or sign up in order to post.