PDA

View Full Version : block php file access from serverside only...



chetanmadaan
05-31-2010, 08:55 AM
Hi,

we are looking for a solution where we can block the access of the files from server side only. i mean the file should only execute in two conditions.

1. if the request is coming from a specefic url (example: www.google.com or whatever)

2. if the file is being requested a post request and not direct access.

well, we are using a sms gatery and here is how it works.


http://www.mywebsite.com/incomingsms.php?xml=<?xml version="1.0"
encoding="UTF-8" ?><TRUMPIA> <phonenumber>1234567890</phonenumber>
<keyword>keyword</keyword> <contents>contents</contents> </TRUMPIA>

My question is, how can we make sure the URL is triggered from Trumpia SMS
server. If any spammer/hacker knows the URL then he can simple inject the
values and make a URL Launch.

Thanks.
Let me know?

djr33
05-31-2010, 09:23 AM
I'm not sure I fully understand your question. You need to make a very clear list of conditions either to allow or to block. You just need one of those.

Based on that, you can just output nothing (or an error or whatever you want) if it doesn't match.

$_SERVER will hold what you need.
http://www.php.net/manual/en/reserved.variables.server.php

There are a lot of them, and they vary by server.

'REMOTE_ADDR' will identify the requester's IP address and this is 100% reliable (unless there is a proxy and then you will have the proxy's IP instead).

'HTTP_REFERER' [spelled like that] is NOT reliable as it is not required and can be faked, but it will give you the location from which it was requested, like where the user clicked a link. This isn't great for blocking/banning people, though, because you can't be sure it's right. Most of the time it will be so it's a good way to guess, but if this is a required feature of your website then it's not a great idea.

'HTTP_USER_AGENT' is also not reliable for the same reasons and it may not be sent in some cases. But it's a way to guess about what the user is using for a browser/OS/etc.

'REQUEST_METHOD' appears to be reliable and this will tell you the method used. This can identify post, for example.


Anyway, let's say you want to block an IP address. Here's an example. The same logic applies for another condition, just change what's in the if:

if ($_SERVER['REMOTE_ADDR']=='1.2.3.4') {
exit('You are not allowed to access this page');
}

chetanmadaan
05-31-2010, 09:26 AM
all i can say is thank you so very much.i think that's it. anyone else?