473,381 Members | 1,402 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,381 software developers and data experts.

re Prevent loading of php pages

Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.

Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?

We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.

If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.

Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to

www.somewebsitecom/nonrootdirectory/step2.php.

This approach seems to work, but can a clever web-crawler or
programmer get past it?

Thoughts?

Phil

>>Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages
>>I have a website consisting of php segments.
>>Example
>>page1.html calls in code from seg1.php and seg2.php
>>If the user goes directly to www.mydomain.com/seg1.php they see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.
>>The only time that seg1.php should be visible is in its original context on
page1.html
>>Garry Jones
Sweden
>Jerry Stuckle wrote:
>The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".
>When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):
include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).
>==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
Jun 1 '07 #1
3 2020
Phil wrote:
Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.

Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?

We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.

If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.

Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to

www.somewebsitecom/nonrootdirectory/step2.php.

This approach seems to work, but can a clever web-crawler or
programmer get past it?

Thoughts?

Phil

>>Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages
>>I have a website consisting of php segments.
>>Example
>>page1.html calls in code from seg1.php and seg2.php
>>If the user goes directly to www.mydomain.com/seg1.php they see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.
>>The only time that seg1.php should be visible is in its original context on
page1.html

>>Garry Jones
Sweden

>Jerry Stuckle wrote:
>The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".
>When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):
> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).
>==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.

My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.

I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 1 '07 #2
On Jun 1, 5:17 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
Phil wrote:
Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.
Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?
We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.
If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.
Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to
www.somewebsitecom/nonrootdirectory/step2.php.
This approach seems to work, but can a clever web-crawler or
programmer get past it?
Thoughts?
Phil
>Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages
>I have a website consisting of php segments.
>Example
>page1.html calls in code from seg1.php and seg2.php
>If the user goes directly towww.mydomain.com/seg1.phpthey see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.
>The only time that seg1.php should be visible is in its original context on
page1.html
>Garry Jones
Sweden
Jerry Stuckle wrote:
The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".
When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):
include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.

My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.

I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -
Jerry:

Even better. Thank you.

Phil
P.s. Does $_SERVER["HTTP_REFERER"] get stripped or can it be faked?
Jun 1 '07 #3
Phil wrote:
On Jun 1, 5:17 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Phil wrote:
>>Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.
Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?
We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.
If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.
Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to
www.somewebsitecom/nonrootdirectory/step2.php.
This approach seems to work, but can a clever web-crawler or
programmer get past it?
Thoughts?
Phil
Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages
I have a website consisting of php segments.
Example
page1.html calls in code from seg1.php and seg2.php
If the user goes directly towww.mydomain.com/seg1.phpthey see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.
The only time that seg1.php should be visible is in its original context on
page1.html
Garry Jones
Sweden
Jerry Stuckle wrote:
The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".
When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):
include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.

My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.

I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -

Jerry:

Even better. Thank you.

Phil
P.s. Does $_SERVER["HTTP_REFERER"] get stripped or can it be faked?

Either can happen. It's just a field sent by the browser. The browser
can decide to send it or not, or it can be stripped by a firewall. And
it can easily be faked.

Never trust anything sent by the user!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 1 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Rob Tweed | last post by:
I have a customer who is having problems when their Windows 2000/IIS/PHP-based system begins to experience a level of loading that isn't, in my view, unreasonably high. I'm wondering what others...
25
by: Dave Turner | last post by:
I know that its impossible to completely prevent somebody from ripping a site (or cracking software) if that person has the skills and the time/patience, but there are tricks that can be employed...
4
by: seans | last post by:
Hi, Is there some way from preventing the JavaScript code in a document loaded into an iframe from executing? I don't have access to the pages being loaded into the i-frame so I can't modify...
5
by: Manish Jain | last post by:
Environment: Windows 2000 Server (SP4), ASP.Net/C# (Framework 1.1) Hardware: PIII @ 700 MHz, 512 MB RAM ----------------------------------------------------------------------------...
4
by: KJS | last post by:
Help, I'm not sure what exactly is happening but I can say this, classic asp pages are not loading on my local dev box. They use to work! Since then I have installed .NET 1.1 Studio (that is...
7
by: Garry Jones | last post by:
I have a website consisting of php segments. Example page1.html calls in code from seg1.php and seg2.php If the user goes directly to www.mydomain.com/seg1.php they see everything visible to...
6
by: ImOk | last post by:
I am using Windows IIS with PHP5 CGI. When I want to use an extension in PHP5 under Windows I enable the extension line in PHP.INI. (e.g. extension=php_sqlite.dll). Does PHP load all the...
0
by: vinayakk | last post by:
Hello webies, I have a problem with loading html pages in frameset. I am using location.href to load html pages one by one upon the user request and these pages in turn load flash files. When one...
6
by: Shigun | last post by:
On a website I am working on I am trying to load another page into a div on the the page the user does his work from. What I have works correctly in FireFox, but not in IE. I've rummaged Google for...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.