Ok so I have a file that I do NOT want to be accessed unless it is in an iframe. Like the main page has a frame that changes from page to page depending on whatever menu button is clicked. One of the pages I only want to be accessed in that fashion, otherwise i want the user to get an error message. Like

main.php = full page, has iframe of fight.php
fight.php = page i do not want accessed if it is not included in main.php

i tried doing this:

in main.php:


$check='1';
<iframe src=\"fight.php\" id=\"frame\"></iframe>

in fight.php at the top:


if(!$check){
echo "Error.";
exit;
}

Is there any way I can make this happen? (Obviously what I tried didnt work or i wouldnt be asking =p)

What you are trying here is a real time communication between two pages. In PHP communication only occurs via GET COOKIE or POST. SESSION may also be used. However, as far as I can imagine, your top page could set a SESSION variable allowing the fight page to load. But that wouldn't then prevent fight from loading in another window. And I'm pretty sure there would be no reliable way to unset the SESSION variable when the top page unloaded.

My thoughts are that perhaps you could use the 'HTTP_REFERER'. Look for it under:

http://www.php.net/manual/en/reserved.variables.server.php

If the 'HTTP_REFERER' is not the top page, you could exit. As noted there though:


The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

There is another problem with this, some browsers allow right click on a link on the top page to open it in a new window/tab. In which case the referrer would be as expected, but the page wouldn't be in the iframe. But I'm sure it would be better than nothing.

Javascript can do this sort of thing (communicate between two pages on the same domain in real time) though, no problem.

If your fight page depends upon javascript for something anyway, or could be made to, then using javascript would be able to effectively prevent the situation of the fight page being loaded without the top page.

As jscheuer said above, this is nearly impossible for php to detect this. You could pass a unique id, that was randomly generated each time main.php was loaded, then stored in a database. For the iframe source, "fight.php?id=1jh498cjd9dfjne9" and that would reference the database number. If they don't match, provide an error, if they do, display the page as normal.

A non-iframe thing that you might try is to include fight.php in main.php. Just chmod fight.php so that it is un-accessible to everyone, or just put it in a non-public folder.

As for a javascript solution, I recommend you check out this thread: http://www.webmasterworld.com/forum21/12046.htm
It's just the opposite, they don't want the page to be in an iframe, a simple removal of the "!" before "!=" should make it work as intended, but obviously if the user disables javascript, this won't work.

More googling made me find this:


<noscript>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com/noscriptpage.html">
</noscript>

put that in the heading and your good to go.

thanks that makes sense, i never really thought of giving javascript a try

As for a javascript solution, I recommend you check out this thread: http://www.webmasterworld.com/forum21/12046.htm
It's just the opposite, they don't want the page to be in an iframe, a simple removal of the "!" before "!=" should make it work as intended, but obviously if the user disables javascript, this won't work.

I believe that advice would simply result in an endlessly reloading page.

You need something like, on fight.php:


if(top.location.href === location.href){
location.href = 'http://www.yourdomain.com/main.php';
}

or even better:


if(top.location.href !== 'http://www.yourdomain.com/main.php'){
location.href = 'http://www.yourdomain.com/main.php';
}

This assumes that main.php isn't a default page, like index or home would be, if so, slightly more code would be required.

If there's another page in that iframe sometimes and fight.php is not the hard coded source for the iframe, you could even combine with PHP to get main.php to load fight.php in its iframe if accessed like:


if(top.location.href !== 'http://www.yourdomain.com/main.php'){
location.href = 'http://www.yourdomain.com/main.php?iframe=fight';

Use $_GET on the main.php page to determine what to use as the src attribute for the iframe:


}

John, when I tried your idea i ended up with:


Content Encoding Error

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

* Please contact the website owners to inform them of this problem.

That was with a simple



$href=top.location.href;
echo $href;


I had the same problem trying to put $_SERVER[] requests into variables as well. Like I found this code online


<?php
$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
echo $url;
?>

but i continue to get the same error page.

Do I have something set up wrong? This happened in FF (not sure about other browsers) but I want the site to be available in all browsers... so whether or not its just FF doesnt really matter.

nevermind that post im being stupid and writing the script in the wrong place...

ok so javascript works... but as you said if javascript is disabled then no luck... so far i have:


echo "
<script LANGUAGE='javascript'>
<!--
if(top.location.href != 'http://example.com/example.php' && top.location.href != 'http://example.com/example.php#non'){
top.location.href = 'http://example.com/example.php';
}
-->
</script>";

So how am i now supposed to prevent people from just turning off javascript, opening the page, and clicking away?

What i have is:


<script language='javascript' type='text/javascript'>

function checkJavaScriptValidity()

{

document.getElementById(\"vischeck\").style.visibility = 'visible';
document.getElementById(\"vischeck2\").style.visibility = 'hidden';

}

</script>
<body onload='checkJavaScriptValidity()'>


and


<div id=vischeck style='visibility:hidden'>javascript on</div><div id=vischeck2 style='visibility:visible'>javascript off</div>

but people are complaining that even when they have javascript on, they still sometimes see javascript off (obviously i have all the script on the javascript on div) and i COULD just put a javascript refresh in the javascript off div but its choppy enough, i dont think everyone wants me to make it even more choppy... and it just seems really weird that people would randomly see javascript off when they have it on... so im not sure why that would happen... there just HAS to be a better way to go about this other than javascript... even though its really nice and works perfectly, people can turn it off because its not server sided... and that defeats the purpose...

if you use javascript to load the iframe, you can insure that it won't be seen (at all) if javascript is turned off.

personally, I think FSD's suggestion of using include() would work better, unless you absolutely must have the content in an iframe.

If you have PHP, just (as others are saying) make it an include instead of the not exactly standard (from the point of view of implementation), in the process of being deprecated iframe. You may even place it below the root of the domain and/or password protect it to ensure no one sees it on its own.

That said, you could have style on the page in the iframe:


body {
display: none;
}

Then after that have a script:


document.body.style.display = 'block';

Not foolproof, but they'd have to really, really want to see the page by itself, figure out that they need to turn off css and javascript, and then do so. Not likely to happen by accident as with javascript alone disabled. Except perhaps with a screen reader or a bare bones browser like lynx, but you might want the visually/software impaired to be able to "see" the page anyway.

You of course have all links and elements with attributes that point to this page marked no follow for SEO, as well as the no index header for the page itself, right?

I'd go for the include though, much cleaner.

Ok I have a new thought on the approach... if people arent able to level while fighting on the page with javascript turned off, it would defeat the purpose of turning off javascript to access the page by itself.

So everyone was saying use an include for the original page i wanted available in the iframe but not by itself... So the fight page is fight.php and the level page is level.php... level.php is included if the player has enough experience to level up... How can I make level.php not included if javascript is turned off? Or make it not work in some way? Or make level.php not be included if the URL shows fight.php instead of main.php...

Since it would be an include, it can use PHP variables declared on the 'top' page. Just make the include unavailable as I already mentioned (below the root or password protected) and add a PHP variable on the 'top' page that holds the level information and make that variable's value contingent (via a PHP if) to whether or not the include gets included.

wait using a php variable? but how will that check if javascript is turned on?

it will be somewhat like this:

main.php = iframe of fight.php
fight.php = inludes level.php
level.php = script used to level a character

you cannot access fight.php without being on main.php in your browser

if javascript is turned off... you can access fight.php outside of main.php (most of the games scripts wont be working with javascript turned off, but you can still fight and level very quickly

am i able to put javascript in main.php that allows me to access level.php, however going right to fight.php will now allow the access to level.php (through the include)

(if you have answered already, it just means im a bit confused on what you mean, i learn best through examples)

Don't use an iframe. If it's an include you can set just about anything PHP you like on the 'top' page or the include. PHP code on the include can use PHP variables determined on the 'top' page prior to the spot where it's included. Whether or not to actually include the include and/or what GET to send the include can be determined from information (PHP variables) set on the 'top' page prior to where it would be included. This is all basic PHP stuff.

But for javascript, it's easier to just use javascript. Say your include is here:


<div id="fight">
<?php include 'fight.php'; ?>
</div>

Then add the highlighted:


<div id="fight" style="display: none;">
<?php include 'fight.php'; ?>
</div>
<script type="text/javascript">
document.getElementById('fight').style.display = 'block';
</script>

Without javascript enabled, they will never see the include.

There are fine points to this that may or may not come into play. Like best to avoid putting the above code in a table. If it must be, the script part has to be outside and below the table and any other containing table. This is only an issue in IE. But believe me, it's a major issue.

This could still possibly be frustrated by a user turning off both javascript and css.

If you want to get really tricky, fetch the fight.php via AJAX. That way it cannot be fetched without javascript enabled. But if it has javascript on it, that can get quite complicated.

Or easier if possible - set a post and/or session value for javascript prior to the loading of the top page and use that. There are various schemes for doing so, like forcing the user to submit a form that has a hidden input with a value that connotes javascript that's written by javascript. Without javascript enabled they can still submit the form, but the javascript created hidden input, its name and value will not be there.

I suppose in the mean time i can just make a button invisible using css like you were saying and make it visible with javascript... i just cant believe this is such a big loophole with iframes... the way my game is set up is that players click links to change the iframe without reloading the whole page, it makes it less choppy... thats why i am inclined to use the iframes instead of includes... i could always rewrite the layout but it would just take way too long... thanks for your help

If you really want to use an iframe you could make it and everything related to it on the top page written out via javascript. That way it wouldn't even be there without javascript, example:


<script type="text/javascript">
document.write('<iframe name="fightframe" src="fight.php?level=1" width="300" height="300" scrolling="auto" frameborder="1"></iframe><br>\n');
document.write('<input type="button" value="Level 2" onclick="window.frames.fightframe.location.href = \'fight.php?level=2\';">');
</script>

On the page itself (fight.php) you could have in the head:


<noscript>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com/noscriptpage.html">
</noscript>