1

I want to prevent user to see directly PHP URL in Javascript. Example :

{
$.ajax(
{
    type: "POST",
    url: "search.php",
    data: dataString,
    cache: false,
    success: function(html)
    {
        $("#display").html(html).show();
    }
});
}return false;

Is it possible or any way to prevent user see the php URL when He/She view the source of my page ? Sometimes user maybe try to open the php url directly.

Thanks for helps.

Naga Botak
  • 721
  • 2
  • 9
  • 14
  • So you mean like not allow the user to see a PHP URL? PHP is not available to the user, so even if they tried they wouldn't be able to see it. So can I assume you mean the POST variable correct? – greduan Sep 20 '12 at 01:28
  • I assume, you dont want user to see `search.php` . Its not possible. Everything js uses is on client side, and once something is on client side, you cannot hide it – Jashwant Sep 20 '12 at 01:31
  • 1
    @EduardoLávaque no, I mean when User want to see the source of my page, He/She can see the php url still in the source. Example in my post JS. search.php – Naga Botak Sep 20 '12 at 01:32
  • @Jashwant So now how can We prevent the User open directly the PHP url ? – Naga Botak Sep 20 '12 at 01:34
  • If your page is on a public server then anyone can get to it at any time with any parameters. It is, after all, *public*. – Peter Gluck Sep 20 '12 at 01:40
  • @NagaBotak, check my answer, that should solve your issue. – Jashwant Sep 20 '12 at 01:45

3 Answers3

3

I (or any client) can still use any number of tools to figure it out (including the built-in debugger in 99% of the browsers built)--It's not worth obfuscating it.

If you're concerned about direct access, check for an AJAX request in your script. (Still hack-able, but it's a start). As also provided in a previous answer:

<?php

  $isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH'])
         && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
  if (!$isAjax) die('Unauthorized access');

  /* rest of search.php */
Community
  • 1
  • 1
Brad Christie
  • 100,477
  • 16
  • 156
  • 200
  • Yep, like Jashwant and Brad said, there isn't actually any way to hide it, and if there is then it's not perfect. :/ – greduan Sep 20 '12 at 01:37
  • well the problem here is some web configuration doesn't allow the HTTP_X_REQUESTED_WITH header for some security reasons http://www.yiiframework.com/forum/index.php?/topic/4945-yiiapp-request-isajaxrequest/ – Netorica Sep 20 '12 at 01:51
0

Ok to make things clear..

  1. Once its on the client-side(the browser) you can't hide it. Users can still download or view source the client-side return.
  2. Obfuscating is not really needed because you just make things complicated and not protecting anything.
  3. But anything that is server-side code(PHP) will not be shown as it is processed by the server-side and the server just return the results of execution of the server-side code.

well in case of your problem the thing you can do is to check whether the $_POST and $_GET parameters are valid upon reaching your PHP codes thus making every POST and GET request valid and safe. its somewhat like this

<?php
  if(isset($_POST['username']) && isset($_POST['password'])){
    //everything seems fine
    echo 'ok';
  }
  else{
  //someone is doing a direct acess
     header('index.php');
  }
?>

or check the sessions to protect your pages only for logged-in users

  <?php
      if(isset($_SESSION['userid'])){
        //everything seems fine
        echo 'ok';
      }
      else{
      //someone is doing a direct acess
         header('index.php');
      }
    ?>
Netorica
  • 18,523
  • 17
  • 73
  • 108
  • if I using your 2 ways, ok now I'm logged in, and what about if I open example search.php (inside maybe query of view any data) ? – Naga Botak Sep 20 '12 at 01:49
  • well if the php is requested with valid request method and its parameters it can be still opened. the answer of @Brad Christie is a good start but I had encounter many problems about it because of some web server configurations that removes that header – Netorica Sep 20 '12 at 01:54
0

As stated in comments,

How can We prevent the User open directly the PHP url ?

You should create a session of very long random string (token) in your php and pass it to the js ajax function, so that it sends the token along with the ajax request. On server side you can check if its the same token generated. You may want to expire the token soon.

I dont know, if its the standard way, but can provide you a start.

Jashwant
  • 28,410
  • 16
  • 70
  • 105
  • The problem with a token is that any information that you pass off to javascript can be easily deciphered and imitated. Even if you make a new hash for ever request,t he algorithm that generates that hash is also visible. Long story short, if you want it protected, don't give the user access or visibility. – Brad Christie Sep 20 '12 at 13:12