how to protect access to a php file?

Asked

Viewed 781 times

1

Galea I am using the Jquery auto complete plugin. It works perfectly. I use jquery to call a php file that queries in the Databank.

I call him that:

 $("#auto").autocomplete("Busca/Cadastros.php", {
        width: 500,
        multiple: false,
        matchContains: true,
        formatItem: formatItem,
        formatResult: formatResult
  }); 

The problem is that if I type the file path ('path/Search/Register.php') in the browser it opens the query in the BD. How do I block this file? ie it is not possible to open it by browser and only my jquery open it.

Someone knows how to do it?

  • to the autocomplete he makes get or post in that file.?

  • he’s doing get

  • 1

    Impossible. If JS accesses, direct access is always possible.

  • Is there any way to block this page via htacess to respond only to my server’s ip?

  • or I can change the method.

  • It is not your server who accesses the script, it is the user’s browser.

  • @Bacco has shapes yes, one of them is already restricting to post only accepting request from the same site.

  • 1

    @Virgilionovic nothing prevents me from ordering a post other than by page. Everything that JS accesses, the user accesses direct. No exception. Every header is generated on the client side, there is no way to differentiate a true request from a false one. The most you can do is trick curious (curious do not know how to do this, simulate requests).

  • @Bacco but, I can block the type of request!!! and by ip!

  • 1

    but if I restrict to that post only accept request from the site itself, this does not resolve?

  • 1

    @Hugoborges the site does not require, who requests is the user’s browser. You can only hinder, but there is no way to prevent.

  • @Bacco got it, damn it.

  • 2

    @Hugoborges I don’t have much more to help, I think you already understand that the problem is that you have to trust what the browser is sending. What you can do is other things, like limit the number of requests and return per IP per hour for no one to download your entire base at once. Large sites like the post office can not avoid bots, imagine "deadly" nodes. Qq way, use post. tokens etc can help amaze curious. At least the listener does not take the data. But qq one who knows how to use a CURL or a basic socket simulates all this.

  • @Bacco got it, well I have to try my best to find a solution around it. Thank you very much for your help.

Show 9 more comments

2 answers

2

If this request is POST in PHP you can do it first of all:

if($_SERVER['REQUEST_METHOD'] == 'POST'){

   // Todo seu código

}

This way by GET it will not be able to access the URL through the browser’s address bar. But I’m seeing other ways too, since someone can make a CURL POST in that URL.

To verify that the request is AJAX:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {

   // É Ajax, faça seu código aqui.

}

It would be good your autocomplete make the POST request.

It’s hard to think through all the checks, there will always be a way to circumvent the lawsuits. Avoid what you know and don’t worry so much about other things.

Backup exists for this. Restore also, which is more important than the backup in itself.

Your code via POST and to send more parameters in the POST:

In the parameter data you define more variables. Remembering that the term is the past for PHP to search.

$("#birds").autocomplete({
    source: function (request, response) {
        $.ajax({
            type: "POST",
            url:"Busca/Cadastros.php",
            data: { 
                 term: request.term,
                 outra_variavel: valor_outra_variavel
            },
            success: response,
        },
    },
    width: 500,
    multiple: false,
    matchContains: true,
    formatItem: formatItem,
    formatResult: formatResult
});
  • yes, I am currently using GET. There is some way to block this page via htacess to respond only to my server’s ip?

  • as I said in the other comment I think that way the user can make a CURL POST.

  • Unless you check if the request is AJAX, as posted.

  • I’m having to do it here. how do I get jquery to send an Ajax request?

  • You’re already sending when you use Autocomplete. But you’re sending via GET. To do via POST you can do what Vírgilio put in the code he posted.

  • well I kept my jquery the same way, using GET, but in PHP file I did Omo you told me, I checked if the request is AJAX 'if(!Empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUSTED_WITH']) == 'xmlhttprequest') { // It’s Ajax, do your code here. }' and it looks like it worked.

  • 1

    @Hugoborges remembering that by CURL you can send both the same method of Ajax, and HTTP_REFERER to seem that the origin is of your site. A curious can not, but someone who can use the browser console or some programming language keeps accessing (but it is better than nothing)

  • @Bacco what HTTP_REFERER interfere in the HTTP_ORIGIN ?

  • @Gumball are both "simulável", I only advanced the subject to be more complete. ORIGIN is bad to use, because it is little browser that supports. If you do thing with ORIGIN, it will harm a lot of normal user.

  • Good to know that.

Show 5 more comments

-1

Ideally, you do not put the server files (i.e., PHP) into the same folder or into "daughter" folders in the application. In that case, the way would be as follows:

$("#auto").autocomplete("../Busca/Cadastros.php", {
        width: 500,
        multiple: false,
        matchContains: true,
        formatItem: formatItem,
        formatResult: formatResult
  });

But of course, you need to limit access to anything outside that scope. That way, it doesn’t matter if the access is done by GET or POST, if the user tries a direct access, he won’t be able.

  • 1

    The "user" cannot remove the ../?

  • This is the way php is. "." means that the file is a folder above the current location (relative to the js calling php), so you would also need to modify the location of your php file. The most secure way to protect access is that only the system can access when you are hosting.

  • You mean if I have sistema/js and sistema/php just because js do ../file.php the user could not access direct sistema/php/file.php that’s it? '-'

  • @Guilhermelautert, I think he meant that it will be difficult for the user to know exactly what the path of the arch is, so the ../.

  • 1

    It’s all wrong, Gumball. Based on this website: https://khalil-shreateh.com/khalil.shtml/index.php/websites/websites-development/106-best-5-ways-to-prevent-direct-access-to-php-file.html

  • @Cleitonoliveira I’m imperfect. I’m wrong, man. Forgive me. I’ll try not to do it again. Thanks for the LINK.

  • 2

    I forgot the site quote: "The best way to Prevent direct access to files is to place them Outside of the web-server Document root (usually, one level above). You can still include them, but there is no possibility of someone accessing them through an http request." What it says is exactly my answer: the best way to prevent direct access is to put the files out of the web-server root folder, usually one level above. You can still give include, but there is no possibility of someone accessing via http request.

  • 1

    @Cleitonoliveira this solution is good if it is something for a PHP include, but in this case, as is JS, you need to be inside the root of the site otherwise not even the browser access.

  • @Bacco this you solve with the include.

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.