Do not let php access via browser url

Asked

Viewed 125 times

1

Say guys I’m in a little trouble, I’m making a system that generates points for members only to generate it has to wait for 30 seconds on a specific page, after these 30 seconds I use (script) to call this file. So far so good, but there is always a smart guy who likes to search the source code and if he finds the file that is in the script there is it is already he will put in the browser and keep giving enter and generating points without waiting the 30 seconds.

And then someone has some hint of how I can block this file, so that it only works via js and on this specific page.


i did the test so put in the . htaccess

<FilesMatch "gerapontos\.php$>
order allow,deny
deny from all
</filesmatch>

he blocks on time, more tb blocks for me call him via js. :(

  • Sending some data via js? can put the code that does this sff

  • yes usage, that.. <script> $.get('gerapontos.php', Function(data) { });</script>

  • This then you have to protect from the PHP side, there is no hiding anything that goes to the browser. View responses from the link above, and linked and related posts in the link described in the right margin of the page. Use sessions in PHP when logging in, and note in the gmtime() last request. If the interval is less than 30s, do not allow the addition,.

2 answers

2


Here are two alternatives that make this task of the "smart guy who likes to rummage through the source code" quite difficult for this context.

1 - Ensures that it can only generate every 30 secs:

php gerapoints.:

session_start();
if(!isset($_SESSION['last_time'])) {
    $_SESSION['last_time'] = time();
}

if(time() - $_SESSION['last_time'] > 30) {
    //gerar pontos
    $_SESSION['last_time'] = time();
}

2 - Ensures that the user has to go to the home page and receive points only every 30 secs. On the home page:

session_start();
$_SESSION['token'] = md5(time());
if(!isset($_SESSION['last_time'])) {
    $_SESSION['last_time'] = time();
}

No js do post instead of get:

$.post("gerapontos.php", {token: "<?= $_SESSION['token']; ?>"});

php gerapoints.:

if(isset($_POST['token'], $_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {

    if(isset($_SESSION['last_time']) && time() - $_SESSION['last_time'] > 30) {
       // gerar pontos
       unset($_SESSION['token']);
       $_SESSION['last_time'] = time();
    }
}

As @Bacco said here a more complete answer, but for a subject not as simple as this

0

You can send a POST with a "key" and check on the page that generates the points. If the key is correct, it generates. Otherwise, send to another page or show an error.

  • how would that be? , like I step one md5 gerapoints.php? key=89as7da57asd5asd89gs09

  • In this example your would be a GET, not POST, but can also be. This article can give you a better idea designed to prevent your system from being circumvented.

  • All right, I’ll try to do it,..

Browser other questions tagged

You are not signed in. Login or sign up in order to post.