Block from URL allow from Script?

[BLiZZaRD]

I have a basic-ish script I am working on and I had an idea I wanted to test out...

okay, basically on my page I have an input box and a submit button.

when the input box text matches the predetermined text in the script it will take you to a randomly generated file.php

SO you are at mydomain.com/page1.php and you enter "winner" in the text box and click submit, you are taken to Hy67ge.php

What I would like is a way (maybe htaccess?) where if you enter http://mydomain.com/Hy67ge.php you get a access denied error page instead of the actual page.

I have tried using htaccess :

order allow, deny
allow from localhost
deny from all

but that doesn't seem to work.

Is there a way to do this?

[Twey]

What I would like is a way (maybe htaccess?) where if you enter http://mydomain.com/Hy67ge.php you get a access denied error page instead of the actual page.

You're missing the obvious Simply pass the word to the script. The script can display the real page or an error message, depending on whether the word is correct.

[BLiZZaRD]

Right I have that, all of that works.

Perhaps I didn't explain right?

yes my code right now looks similar to this:

Code:

<?php
if($_POST['id']) {
if(($_POST['id'] == "1") && ($_POST['pass'] == "RED")) header("Location: /red/Hgyt85.php");
else header("Location: error.php");
} else {
?>

HOWEVER, if you KNOW the file name you can go directly to it through the URL. I don't want you to beable to go to it through the URL, if you try that I want you to get the error page.

I only want page1.php to beable to access the /red/Hgyt85.php page if you enter the correct password in the box on page1.php

Does that make sense?

[Twey]

It makes sense, but shows you didn't understand what I said

Code:

header(
  "Location: " .
  ($_POST['id'] === 1) ?
     'http://' . $_SERVER['HTTP_HOST'] . '/red/Hgyt85.php?pass=' . $_POST['pass']:
     'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);

... then check $pass against the word on /red/Hgyt85.php.

Oh, and the Location header should always be an absolute URL, never a relative one.

[BLiZZaRD]

Yes, you are right, I misunderstood what you were saying. Got it now, I will test this out in a few!

Oh, and the Location header should always be an absolute URL, never a relative one.

Yes, I know.. I have seen Mike smack you around for this very thing a few times

[Twey]

Lol, I'm sure it was only twice.

[BLiZZaRD]

Okay, first off, thank you for pointing out that I SUCK at php..

with that out of the way...

Here is what I have (using your posted code and what I had)

the complete script:

Code:

<?php
if($_POST['id']) {
if(($_POST['id'] == "1") && ($_POST['pass'] == "RED")) header(
  "Location: " .
  ($_POST['id'] === 1) ?
     'http://' . $_SERVER['HTTP_HOST'] . '/red/index.php?pass=' $_POST['pass']:
     'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else if(($_POST['id'] == "4") && ($_POST['pass'] == "GREEN")) header(
  "Location: " .
  ($_POST['id'] === 4) ?
     'http://' . $_SERVER['HTTP_HOST'] . '/green/index.php?pass=' $_POST['pass']:
     'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else if(($_POST['id'] == "2") && ($_POST['pass'] == "BLUE")) header(
  "Location: " .
  ($_POST['id'] === 2) ?
     'http://' . $_SERVER['HTTP_HOST'] . '/blue/index.php?pass=' $_POST['pass']:
     'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
)
else if(($_POST['id'] == "3") && ($_POST['pass'] == "YELLOW")) header(
  "Location: " .
  ($_POST['id'] === 3) ?
     'http://' . $_SERVER['HTTP_HOST'] . '/yellow/index.php?pass=' $_POST['pass']:
     'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php'
);
else header("Location: index.php");
} else {
?>

Now, I know it isn't going to work straight out of the box... but I am failing to see where I am wrong... besides the vein attempt at this in the first place..

I get this error:

Parse error: syntax error, unexpected T_VARIABLE in /rel/path/to/index.php on line 6

So where am I wrong and what do I do to fix it? Am I just being stupid? Go ahead, tell me how obvious it is...

[Twey]

I missed a dot I edited it above, and considered posting to point the fact out, but decided against it, and hoped you'd remember how famously untested all my code is and not copy-and-paste it.
Your code can be vastly simplified using an array, and you should always use isset() to check for undefined variables.

Code:

<?php
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id'])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id'][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');
} else {
?>

[BLiZZaRD]

Well thank you for not pointing out that I missed a dot.. oh wait... nevermind...

Yes I know your codes are not always tested and when I have used them I can usually spot the error with the help of those error lines... but I couldn't this time because I have not ever used the 'http://' . $_SERVER['HTTP_HOST'] blahblah type URI before, so I couldn't tell you what was missing or needed.

I also figured I could simplify the code, and WAS going to get around to that.

This is my first ever self written code (to this point) that actually worked. I didn't want to touch it, till everything I needed was in there and working, LOL.

Thanks again though, I will look at this array thing and the isset() whatever... I have some reading to do

<EDIT>
OKAY NOW I CAN LAUGH

The untested code above was missing a few things... well 2... I figured you were testing me, so I am reposting the 'correct' code here:

Code:

<?php
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/error.php');
} else {
?>

Those 2 in red are what was missed. So I added them and uploaded the test page, and now it works... only it is working...kinda...


Now when I put the red/index.php in the address bar, I go to the page, but when I use the input box on the page I go to the error page, LMAO... just a tad backwards from what I was wanting.

I am looking over the code with a sharp eye now and will see if I can fix it on my own! hahahahhaa

[BLiZZaRD]

Okay this is weird, and confusing me a bit.

I haven't changed anything yet (and am double posting because the last post is already so long)

I had my id= off by one, but that was easy to fix.. I had them numbered 1-4 and renumbered 0-3 so the answers being off by one, and the green not working at all is fixed.

So now here is where I am:

The code works, and the simple form is smaller and less obtrusive, so that is nice.

we will use the red box (id=0) for the examples:

If I am on http://mydomain.com/index.php (this is where the 4 input boxes are)

and I enter RED in the top box and click the button, I go to http://mydomain.com/red/index.php YAY!! Just like it is supposed to!

However.... If I am at http://mydomain.com/index.php and I manually replace the index.php with /red/index.php I go to /red/index.php instead of the error.php

If I enter the wrong answer in the box I go to error.php

SOOOO... everything works, except preventing direct URL access...

so I am right back where I was, except I have a cleaner code