I need to prevent direct access (on a second page) in php

Asked

Viewed 254 times

0

The question is a little confusing, but I’ll try to explain it as best I can. I have an apache2 server running on linux (Raspbian Stretch Lite) with php7.0 and the necessary mods.

On the server has some files, I will list them in the most minimalist way possible,

This is responsible for the form:

/index php.

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
  <meta name='viewport' content='width=device-width, initial-scale=0.8, user-scalable=no' />
  <link rel="stylesheet" href="css/aut.css">
  <title>Autenticação</title>
</head>

<body>
<?php
session_start();
$erro = $_SESSION['msg'];
if (empty($erro)) {

}
else {
  echo "<script type='text/javascript'>alert('$erro');</script>";
  $_SESSION['msg'] = '';
}
?>
<div class="login-page">
  <div class="form">
    <form action="aut/resposta.php" method="post"class="login-form">
      <input type="text" name="user" placeholder="Usuário"/>
      <input type="password" name="senha" placeholder="Senha"/>
      <button type="submit">Entrar</button>
    </form>
  </div>
</div>
</body>
</html>

This is responsible for validating the form and creating a session variable if the user and password are correct, this variable comes from a file inside the server. In addition to redirecting the user.

/aut/reply.php

<html>
<body>
<?php
session_start();
if ($_POST["senha"] == "112233oi#" and $_POST["user"] == "Spineli") {

    $arquivo = "/prog/php/escalator/cripto/key.txt";
    $fp = fopen($arquivo, "r");
    $key = fread($fp, filesize($arquivo));
    fclose($fp);

	$_SESSION['aut'] = $key;
	header("Location: ../site.php");

} else {
	$msg = 'Usuário ou senha incorretos!';
	$_SESSION['msg'] = $msg;
	header("Location: /index.php");
	
}

?>
</body>
</html>

And this is the site to which the user is redirected

php site.

<!DOCTYPE html>
<html>
<head>
<title>Controle Remoto</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name='viewport' content='width=device-width, initial-scale=1, user-scalable=no' />
<link rel="stylesheet" href="css/site.css">
</head>
<body>
<?php
session_start();
$login1 = $_SESSION['aut'];
$erro = $_SESSION['msg'];

$arquivo = "/prog/php/escalator/cripto/key.txt";
$fp = fopen($arquivo, "r");
$login2 = fread($fp, filesize($arquivo));
fclose($fp);

if ($login1 !== $login2 or empty($login1)) {
	header("Location: index.php");
}
else {
	$_SESSION['aut'] = '';
}

if (empty($erro)) {

}
else {
	echo "<script type='text/javascript'>alert('$erro');</script>";
	$_SESSION['msg'] = '';
}
?>
<div class="bonito">
  <div class="bembonito">
	<div class="text1"><p>Controle Remoto</p></div>
	<div class="text2"><p>Direção</p></div>
	<a href="move/sobe.php" class="button4">Sobe</a>
	<a href="move/desce.php" class="button4">Desce</a>
	<div class="text2"><p>Bloqueio</p></div>
	<a href="bloq/on.php" class="button4">Ligar</a>
	<a href="bloq/off.php" class="button4">Desligar</a>
  </form>
</div>
</div>
</body>
</html>

and then within /move we have 2 files the sobe.php descends.php, these files run scripts to control reles, their code is very similar

<?php
session_start();
$msg = 'Subindo ou Descendo!';
$_SESSION['msg'] = $msg;
shell_exec('/root/script.sh');
?>

A detail:

_Session['msg'] is used to display messages, its operation does not interfere with the problem.

The problem:

If someone type 192.168.x. x/move/up.php it goes through security without any problem.

Attempts: I’ve tried everything I know,

I tried to put php on the onclick button, but php runs before loading the site, so it ran the action even before the user click the button.

I also tried to use a Session scheme as I did on the reply pages.php and site.php, but the problem is that this variable will remain open until the user clicks on one of the buttons, and if he does not click on any, the variable is still present, thus, anyone can access entering 192.168.x. x/move/up.php

I don’t know what to do, I’m willing to make changes of all kinds without language limitations and so on, I just can’t move the files around, I just need it to work on my server.

Thanks in advance.

Edit:

I suggested another post for the solution of the problem, however I can not change the files from place.

php html session

  • Possible duplicate: https://answall.com/q/331344/99718

  • No, this is not a duplicate. I’ve done a lot of research on this forum and many others not to make this mistake.

  • It would be better to set up the environment properly to not serve Phps directly than to do this kind of thing in each file.

  • How can I set up?

  • This question that I was asked serves only for includes and Ajax, which makes me believe that you have not even read my question and have already marked as duplicate. More attention next time

1 answer

0


Have you ever tried anything like: 

<?php
    /* no topo de 'sobe.php' */
    if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
        /* 
           Ai é com você qual cabeçalho enviar, alguns preferem 404 mesmo se
                os arquivos existem, para segurança            */
        header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );

            /* escolhe a página apropriada para redirecionar os usuários */
        die( header( 'location: /error.php' ) );

  • This way I can’t access the scripts. I’m always redirected

Browser other questions tagged php html session

You are not signed in. Login or sign up in order to post.