preventing direct access to a php page, only access if redirected

Question

I want to make my php page only accessible from another page redirect and prevent my user from accessing it directly.

I mean, let's say I have a page called "main.php" and another PHP file that I want to prevent direct access to, called "noaccess.php".

I want to make noaccess.php accessible only if I redirect from main.php

Any suggestions?

UPDATE: Session is a good idea, but the problem is I have to use JavaScript to redirect the page, so the question is, can I use ajax to set a PHP session?

UPDATE 2: OK I found the solution, I don't need preventing direct access now, as I can check from mysql whether the page needs to be accessible or not.

Answer 1

What if everytime you were going to redirect you saved a value in the $_SESSION variable. So you have

//code
$_SESSION['fromMain'] = "true";
header("Location: noaccess.php");

Then in noaccess.php put

if($_SESSION['fromMain'] == "false"){
   //send them back
   header("Location: foo.php");
}
else{
   //reset the variable
   $_SESSION['fromMain'] = "false";
}

I really don't know if this would work or not, but this is what I would try off the top of my head.

Answer 2

try this

if (!isset($_SERVER['HTTP_REFERER'])){

   echo "uh?"; }

else {

   // The script
 }  

Answer 3

I think you're probably coming at the problem from the wrong direction, but if you really want to implement this I'd most likely do it with a session variable. Just have main.php set a flag indicating that they're now able to access noaccess.php and then redirect there. noaccess.php checks for the flag, and only functions if it's been set.

Answer 4

I know this has already been answered. Although the answers are good, I was just facing the same situation so I thought I would put my two bit in.

I would not use HTTP_REFERER It is not reliable and not every browser even shows it.

I would not use a session variable as that is stateful and you will have to write more lines of code to check it on every request leading to unnecessary bloat.

Ideally I would create a controller class with two functions main and no access

Or If you dont want to go through that trouble, I would create a variable which is globally accessible in noccess.php with a simple true false.

This is what I would do:

class Access{

    protected $access = false;

    public function main(){
        //Authenticate and set
        include_once 'main.php';
        $this->access = true;
    }

    public function no access(){
        if($this->access === true){
            include_once 'no access'.php;
        }else{
            header('location: main.php');
        }
    }
}

Or if you dont want to go through that trouble You could create a simple function or set a simple variable which is accessible from noaccess.php:

//main.php
$access = false;

header('location: noaccess.php');

//noaccess.php
include 'main.php';
if($access){
    //Continue
}else{
    header('location: main.php');
}

Im sure you could simplify this, but this would be the simplest and safest approach rather than relying on server variables. I would not use a $_SESSION or $_POST as that means unnecessarily posting a form when all you want to do is secure access

Answer 5

To prevent access to pages, the best practice is to use session variables say $_SESSION['username'] and $_SESSION['password'] to check against your database table record assuming your table name is "users", the fields 'username' and 'password' in order for users to gain access to the page, else they are redirected to the log in page for them to supply the correct username and password through the input field.

Below is an anatomy of Preventing Direct Access to a PHP Page.

session_start();

$username=$_POST['username'];
$password=$_POST['password'];

$query="select * from users where username='$_SESSION[username]' and     password='$_SESSION[password]'";

$result=mysql_query($query);

if($result)
{

echo "Your login was successful..";// the page you want to go to if login successful
{
else
{

header("Location:index.php?action=login");//any page you want to return to if log in failed
}

Answer 6

You can use $_SERVER["HTTP_REFERER"]. Put the following code in the beginning of your php file and set $url to be equal of your desired url for example http://a.com/main.php

if ($_SERVER['HTTP_REFERER'] != $url) {
    header('Location: noaccess.php');
    exit();
}

Answer 7

Why not to just include instead of redirect?

Answer 8

The other folks are right there are issues with $_SERVER["HTTP_REFERER"] so I guess the best way will be to have a variable set into a $_SESSION or $_POST and you will need to check if that variable exists, if not it means it is a direct access.

Answer 9

You tried on this Iva. Below is the code that works:

$url != 'your-url-which-you-do-not-what-direct access';

if ($_SERVER['HTTP_REFERER'] == $url) {
  header('Location: otherurl.php'); //redirect to some other page
  exit();
}

Ensure this appears at the top of the page where you do not want direct access to.

Answer 10

I think I am late to answer this but my way would be

<?php
$page = basename($_SERVER['PHP_SELF']);//gets current URL
if ($page == "nonaccesspage.php") //any page u don't want to be accessed directly
header('Location:index.php');
else if($page == "nonaccesspage2.php") //page 2 which is not accessible 
header('Location:index.php');
?>

If you want to authorize the user for accessing the page (I mean there is a page which is not included but can be accessed with the URL) just use $_POST or $SESSION for authorizing the user with ID and password or something like that.