Block from URL allow from Script?

I have a basic-ish script I am working on and I had an idea I wanted to test out...

okay, basically on my page I have an input box and a submit button.

when the input box text matches the predetermined text in the script it will take you to a randomly generated file.php

SO you are at mydomain.com/page1.php and you enter "winner" in the text box and click submit, you are taken to Hy67ge.php

What I would like is a way (maybe htaccess?) where if you enter http://mydomain.com/Hy67ge.php you get a access denied error page instead of the actual page.

I have tried using htaccess :

order allow, deny
allow from localhost
deny from all

but that doesn't seem to work.

Is there a way to do this?

Quote:

---

What I would like is a way (maybe htaccess?) where if you enter http://mydomain.com/Hy67ge.php you get a access denied error page instead of the actual page.

---

You're missing the obvious :) Simply pass the word to the script. The script can display the real page or an error message, depending on whether the word is correct.

Right I have that, all of that works.

Perhaps I didn't explain right?

yes my code right now looks similar to this:

Code:

---

<?php
if($_POST['id']) {
if(($_POST['id'] == "1") && ($_POST['pass'] == "RED")) header("Location: /red/Hgyt85.php");
else header("Location: error.php");
} else {
?>

---

HOWEVER, if you KNOW the file name you can go directly to it through the URL. I don't want you to beable to go to it through the URL, if you try that I want you to get the error page.

I only want page1.php to beable to access the /red/Hgyt85.php page if you enter the correct password in the box on page1.php

Does that make sense?

It makes sense, but shows you didn't understand what I said :)

Code:

---

header(
  "Location: " .
  ($_POST['id'] === 1) ?
    'http://' . $_SERVER['HTTP_HOST'] . '/red/Hgyt85.php?pass=' . $_POST['pass']:
    'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);

---

... then check $pass against the word on /red/Hgyt85.php.

Oh, and the Location header should always be an absolute URL, never a relative one.

Yes, you are right, I misunderstood what you were saying. Got it now, I will test this out in a few!

Quote:

---

Originally Posted by Twey

Oh, and the Location header should always be an absolute URL, never a relative one.

---

Yes, I know.. I have seen Mike smack you around for this very thing a few times :D

Lol, I'm sure it was only twice. :p

Okay, first off, thank you for pointing out that I SUCK at php..

with that out of the way...

Here is what I have (using your posted code and what I had)

the complete script:

Code:

---

<?php
if($_POST['id']) {
if(($_POST['id'] == "1") && ($_POST['pass'] == "RED")) header(
  "Location: " .
  ($_POST['id'] === 1) ?
    'http://' . $_SERVER['HTTP_HOST'] . '/red/index.php?pass=' $_POST['pass']:
    'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else if(($_POST['id'] == "4") && ($_POST['pass'] == "GREEN")) header(
  "Location: " .
  ($_POST['id'] === 4) ?
    'http://' . $_SERVER['HTTP_HOST'] . '/green/index.php?pass=' $_POST['pass']:
    'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else if(($_POST['id'] == "2") && ($_POST['pass'] == "BLUE")) header(
  "Location: " .
  ($_POST['id'] === 2) ?
    'http://' . $_SERVER['HTTP_HOST'] . '/blue/index.php?pass=' $_POST['pass']:
    'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
)
else if(($_POST['id'] == "3") && ($_POST['pass'] == "YELLOW")) header(
  "Location: " .
  ($_POST['id'] === 3) ?
    'http://' . $_SERVER['HTTP_HOST'] . '/yellow/index.php?pass=' $_POST['pass']:
    'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else header("Location: index.php");
} else {
?>

---

Now, I know it isn't going to work straight out of the box... but I am failing to see where I am wrong... besides the vein attempt at this in the first place..

I get this error:

Parse error: syntax error, unexpected T_VARIABLE in /rel/path/to/index.php on line 6

So where am I wrong and what do I do to fix it? Am I just being stupid? Go ahead, tell me how obvious it is...

I missed a dot :) I edited it above, and considered posting to point the fact out, but decided against it, and hoped you'd remember how famously untested all my code is and not copy-and-paste it. :p
Your code can be vastly simplified using an array, and you should always use isset() to check for undefined variables.

Code:

---

<?php
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id'])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id'][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');
} else {
?>

---

Well thank you for not pointing out that I missed a dot.. oh wait... nevermind...

Yes I know your codes are not always tested and when I have used them I can usually spot the error with the help of those error lines... but I couldn't this time because I have not ever used the 'http://' . $_SERVER['HTTP_HOST'] blahblah type URI before, so I couldn't tell you what was missing or needed.

I also figured I could simplify the code, and WAS going to get around to that.

This is my first ever self written code (to this point) that actually worked. I didn't want to touch it, till everything I needed was in there and working, LOL.

Thanks again though, I will look at this array thing and the isset() whatever... I have some reading to do :D

<EDIT>
OKAY NOW I CAN LAUGH

The untested code above was missing a few things... well 2... I figured you were testing me, so I am reposting the 'correct' code here:

Code:

---

<?php
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');
} else {
?>

---

Those 2 in red are what was missed. So I added them and uploaded the test page, and now it works... only it is working...kinda...


Now when I put the red/index.php in the address bar, I go to the page, but when I use the input box on the page I go to the error page, LMAO... just a tad backwards from what I was wanting.

I am looking over the code with a sharp eye now and will see if I can fix it on my own! hahahahhaa

Okay this is weird, and confusing me a bit.

I haven't changed anything yet (and am double posting because the last post is already so long)

I had my id= off by one, but that was easy to fix.. I had them numbered 1-4 and renumbered 0-3 so the answers being off by one, and the green not working at all is fixed.

So now here is where I am:

The code works, and the simple form is smaller and less obtrusive, so that is nice.

we will use the red box (id=0) for the examples:

If I am on http://mydomain.com/index.php (this is where the 4 input boxes are)

and I enter RED in the top box and click the button, I go to http://mydomain.com/red/index.php YAY!! Just like it is supposed to!

However.... If I am at http://mydomain.com/index.php and I manually replace the index.php with /red/index.php I go to /red/index.php instead of the error.php

If I enter the wrong answer in the box I go to error.php

SOOOO... everything works, except preventing direct URL access...

so I am right back where I was, except I have a cleaner code :D

Quote:

---

The untested code above was missing a few things... well 2... I figured you were testing me

---

Er... yes. Yes, of course. :p

I'm evidently tired (it's 0100 here). Here's the one that works:

Code:

---

<?php if(isset($_POST['id'])) {
  $p = array(
    1 => array('RED', '/red/index.php'),
    2 => array('BLUE', '/blue/index.php'),
    3 => array('YELLOW', '/yellow/index.php'),
    4 => array('GREEN', '/green/index.php')
  );
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']);
  else
    header('Location: http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');
} else { ?>

---

Nonono. The pages you're redirecting to must also check that the password is correct! It will be available as a GET variable.

Quote:

---

Originally Posted by Twey

Nonono. The pages you're redirecting to must also check that the password is correct! It will be available as a GET variable.

---

I have the code on ALL pages, all are exactly the same right now for testing...

I tried your new one, and the input boxes didn't work at all, LOL it kept refreshing the same page, but never left index.php...

:confused:

The code above goes on the redirecting page. On the pages to be redirected TO, you'd do something like:

Code:

---

if(!isset($_GET['pass']) || $_GET['pass'] !== "RED")
  header('Location: http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');

---

And you still haven't answered: why does this all have to be on different pages?

OHHH I get it.. okay, that makes sense. I will give that a try.

answering your question: This is just a little fun project I am trying to make. I will have many pages, and each page will link to another (using this script we have been working on), and eaach to another 4 and so on and so on...

The layout for each is the same, so I am trying to get a template that will work and then all I will change is the password variable on each.

This is why I was wondering if there was a htaccess or similar something I could do so I wouldn't have to put all that code on each page.

Either way, once I have a working one it's all just copy/paste/edit to fit.

Quote:

---

This is why I was wondering if there was a htaccess or similar something I could do so I wouldn't have to put all that code on each page.

---

This is why we seperate content, logic, and design. I like to do something like this:

Code:

---

<?php

session_start();

define('BASE_PATH', 'http://80.4.194.222/tcc/');

require_once("includes/functions.inc.php");

ob_start();
require_once("includes/header.inc.php");
$header = ob_get_clean();

$parm = "";

$conn = mysql_pconnect("localhost", "twey_tcc", "dbaccess14*");
mysql_select_db("twey_tcc");

// module-selection stuff, removed for brevity

ob_start();
require_once("includes/sidebar.inc.php");
$footer = ob_get_clean();

ob_start();
require_once("includes/footer.inc.php");
$footer = ob_get_clean();

if(!isset($forum)) require("includes/template.inc.php");
?>

---

That's an example directly lifted from the site I've been working on, so it's got more cruft than is strictly necessary, but you get the idea. template.inc.php simply contains:

Code:

---

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!--
Copyleft: Any portion of this site may be copied, modified, or redistributed, for free or for profit, by any means possible, with the stipulations that:
        a) credit is given to me, Twey, the author;
        b) this license also applies to any derivative works.
 -->
<html>
        <head>
                <title>
                        twey.co.uk :: <?php echo($cat); ?> :: <?php echo($title); ?>
                </title>
                <link rel="stylesheet" type="text/css" href="style.css.php">
                <!--[if IE]><link rel="stylesheet" type="text/css" href="iehacks.css.php"><![endif]-->
        </head>
        <body>
                <div id="corner">
                        <p id="logocontainer">
                                <a href="#content"><img src="images/invisible.gif" alt="Skip to content" style="border: 0 none;"></a>
                                <img src="images/logo.png" id="logo" alt="Twey's Logo">
                        </p>
                </div>
                <div id="header">
                        <?php echo($header); ?>
                </div>
                <div id="sidebar">
                        <?php echo($sidebar); ?>
                </div>
                <div id="content">
                        <h2><a href="?q=catdisp&amp;c=<?php echo($catrow['id']); ?>"><?php echo($cat); ?></a><span style="font-size: 150%;"> :: </span><?php echo($title); ?> ( <?php echo($parm); ?> ) ;</h2>
                        <?php echo($content); ?>
                </div>
                <div id="footer">
                        <?php echo($footer); ?>
                </div>
        </body>
</html>

---

interesting.

making a mental difference between logic, design, and content.. what a novel approach... I may have to try that one day :D

Quote:

---

what a novel approach... I may have to try that one day :D

---

Lol, ouch! How do you survive copying and pasting all that code between pages? :p

Well normally because of the nature of my site almost every page is identical (in coding) so I make one page, then upload it to the server, then rename and upload, then rename upload... just changing the small bits that need changing as I go..

I don't do 400 pages a day, more like 3 or 4 so it's not so bad, LOL

Everything I know I have basically taught myself (through trial and error, not so much books and lessons), so when something works I usually stick with it :D

But what if you need to change something on, say, 200 of those 400 pages? AH!

Then I come here and go "TWEYYYYYYYYYY I NEED HELP!!!!!!!"

Then pour a cup of coffee and wait for a response.

LMAO!