By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,149 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

Restricting access to a php script

P: 18
hi,
I have a script 1 that calls another script 2 when a form is submitted. both scripts belong to the admin side and the second one involves database modification.
how do i make sure that there are no loose ends?

one way is to put a check in script 2 so that it executes only when session variables are set to logged in.
another way is to check for the source that the form data came from....I'm not sure of how to check for it. is it through $_SERVER['HTTP_REFERER'] ?? is this way safe?

anyways, which works better? or should I use them in conjunction? or is there a better way for this?
May 1 '07 #1
Share this Question
Share on Google+
5 Replies


cyberking
P: 84
hi,
I have a script 1 that calls another script 2 when a form is submitted. both scripts belong to the admin side and the second one involves database modification.
how do i make sure that there are no loose ends?

one way is to put a check in script 2 so that it executes only when session variables are set to logged in.
another way is to check for the source that the form data came from....I'm not sure of how to check for it. is it through $_SERVER['HTTP_REFERER'] ?? is this way safe?

anyways, which works better? or should I use them in conjunction? or is there a better way for this?
Hi!
I dont understand your needs exactly. When it belong to the admin side, why dont you restrict the entry / access to this forms by hardcoding a login id and a password which only you know. Next by having a tiny login with user id and password, you can check if the hardcoded user id and password match, if yes, redirect to the admin (script 1 page) page, else redirect him to the users section.
Hope this helps you,
Regards
CyberKing
www.bytesandbytes.com
May 1 '07 #2

P: 18
hello cyberking,

i wrote about maintaining login sessions. i think that is the best possible way to restrict access.
but say you had somebody who has access to the admin area. how do you stop that person from writing a program/script to flood the script with requests?

has anybody ever checked for the page from which the request comes from? does it work? how do cms packages prevent their include files from being accessed in the wrong way?
May 1 '07 #3

100+
P: 136
Hi,

for the shake of security u can use the session or cookie. This provides u quite reliable security for ur system.

Now considering ur case scenario. Say person A have access to the admin area. Now he can enter there only by using the login system. Now say there is a script named test.php. A can run test.php using some program to flood it. I think this is ur telling.

Now to prevent running the script form out side, use some other script to define some global variable. test.php can check the existence the of the variable and then run the code inside. In ur system u will call the variable containing script to define thew vars globally. But A can't call the script from outside. This way u can make ur script secure from being accessed and executed form outside.


i wrote about maintaining login sessions. i think that is the best possible way to restrict access.
but say you had somebody who has access to the admin area. how do you stop that person from writing a program/script to flood the script with requests?

has anybody ever checked for the page from which the request comes from? does it work? how do cms packages prevent their include files from being accessed in the wrong way?
susen
May 2 '07 #4

P: 18
Hi,

for the shake of security u can use the session or cookie. This provides u quite reliable security for ur system.

Now considering ur case scenario. Say person A have access to the admin area. Now he can enter there only by using the login system. Now say there is a script named test.php. A can run test.php using some program to flood it. I think this is ur telling.

Now to prevent running the script form out side, use some other script to define some global variable. test.php can check the existence the of the variable and then run the code inside. In ur system u will call the variable containing script to define thew vars globally. But A can't call the script from outside. This way u can make ur script secure from being accessed and executed form outside.

susen
Hi,
thanks for that response. I think PHPBB does something similar to ensure include files aren't executed in isolation. It sets up a variable in the master pages and puts a check at beginning of each include file.

I think I can combine both of these systems...checking for the existence of the particular variable to make sure that file is being used inside some other script, and then checking if the session is set to logged in.

thanks
May 3 '07 #5

100+
P: 136
Hi,

yeh it s true. Not only phpbb but I have seen many other application in php uses this tecnique to protect the inside code from being accessed.

It seems to me that you have worked with phpbb forum. IMO this is really good forum to in all aspect.

susen
May 4 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.