SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict ketting00's Avatar
    Join Date
    Jul 2011
    Posts
    325
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    How do I allow script access to my php file but not through browser url

    I try to access my php file with javascript but it isn't work. I've protected my file with this block of code to prevent user direct access from a browser, it prevents script access as well:
    Code:
    $URL = $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
    $slice = explode('/', $URL);
    if ($slice[2] == "customer_info.php") {
    	die("sry, no acces rights");
    }
    The file contains sensitive JSON data so it can be viewable on a browser.

    Thank you,

  2. #2
    SitePoint Enthusiast yangyang's Avatar
    Join Date
    Jun 2007
    Location
    kavoir.com
    Posts
    96
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    So I assume you need to use the JSON data in JavaScript but prohibit users from accessing it directly in customer_info.php?

    You can detect the HTTP referer in customer_info.php by $_SERVER['HTTP_REFERER']. If it's from your own site, then it's OK to display the information. If there's no referer or a different referer other than your own site, deny access. But this can be forged. You don't have confidentiality of anything you send to the client.

    How sensitive the JSON is? If it is too sensitive, you shouldn't be using it in JavaScript in the first place.
    I blog about making websites, technically.
    Online image converter - all formats that you can think of.

  3. #3
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,002
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    I agree with yangyang. There are small measures that you can take to ensure that it is difficult for your users to access the data (such as checking the referer) but ultimately these can all be negated.
    What it boils down to, is that the client side is the wrong place to handle sensitive data.
    Maybe in your case an authentication system would be better, so that you only display information based on the credentials a user supplies.

  4. #4
    SitePoint Addict ketting00's Avatar
    Join Date
    Jul 2011
    Posts
    325
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Thank you,
    So I should store it server side.

  5. #5
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,002
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by ketting00 View Post
    Thank you,
    So I should store it server side.
    Essentially everything is stored server-side anyway.
    I'm suggesting that you get users to sign in and limit what they can access depending on their login credentials.
    That way you can specify who views what and don't have to worry about someone guessing a URL that would display sensitive info.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •