0

I have index.php that include pages like

<?php

define('MyConst', TRUE);

include_once('template/header.php');

if (!empty($_GET['action'])) {  
    $action = $_GET['action'];   
    $action = basename($action);   
    include("template/$action.php");   
} else { 
    include("template/main.php"); 
} 

include_once('template/footer.php'); 

?>

With in a template directory I have main.php which has link to other pages like page1.php, page2.php. 

<a href="?action=page1">Goto page 1</a>
<a href="?action=page2">Goto page 2</a>

How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?

MahiloDai
  • 63
  • 1
  • 3
  • 10

6 Answers6

1

You can not. What you want is simply not possible.

For the server side there is no way to know whether an URL is typed or clicked.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • This is actually the correct answer (ignoring the possibility of checking the referer, which can be forged.) – Pekka Sep 26 '13 at 12:46
  • Not my downvote, but I think what the OP wants (in spirit, if not the letter) could be done by generating random IDs when outputting the links in his template. Whether all this is necessary at all is a different question of course - this smells like an XY question – Pekka Sep 26 '13 at 12:50
  • I thought about CSRF token for a moment. But I didn't think that was what OP was after. Then again who knows ;) – PeeHaa Sep 26 '13 at 12:51
1

If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.

Abrixas2
  • 3,207
  • 1
  • 20
  • 22
0

Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
0

Maybe you can try this, On your index.php :

session_start();
if(! isset($_GET['action']))
{
   $_SESSION['pageAccess'] = true; # Set the key whatever you want
}

then under that script (we need that session_start() used twice) :

if(isset($_GET['action']))
{
  if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
     exit('There is no direct access allowed.');
}

Hope this help, have a nice day.

Anggie Aziz
  • 133
  • 1
  • 1
  • 10
0

As per your Question:

There are two approaches that you can follow:

  1. Use HTTP_REFFRER and check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page.
  2. Use $_SESSION but this approach can be harmful as SESSION will always be there untill browser / instance closed.

So better to go for 1st approach. And also as per Pehaa, you can not check id URL is typed

Gags
  • 3,759
  • 8
  • 49
  • 96
0

You can redirect to your domain home if 'HTTP_REFERER' not include your server

<?php 
    //Avoid url direct access
    if (strpos($_SERVER['HTTP_REFERER'], 'yourdomain.com') !== FALSE) { 
     //Your code
    } else { 
        echo '<meta http-equiv="Refresh" content="0; url=https://yourdomain.com" />'; 
        die(); 
    }
?>
Extrange planet
  • 228
  • 3
  • 13