4

I don't want to allow people to go directly to the pages in the AJAX directory but they still need to be served from their parent page. I have tried numerous .htaccess lines but they all block it from the main page as well. to sum up, I dont want people to be able to type in http://www.mysite.com/AJAX/page1.html and view it but page1.html needs to be brought into its parent page via AJAX.

<LIMIT GET POST>
Order deny, allow
deny from all
</LIMIT>

blocks all access

Can you define a flag in the parent file define('IS_IN_SCRIPT',1); and check for it in the AJAX pages? will that work with AJAX pages or only PHP includes?

Dirty Bird Design
  • 5,333
  • 13
  • 64
  • 121

3 Answers3

3

Determining Referer in PHP

Check if $_SERVER['HTTP_REFERER'] is in your domain (or a list of acceptable domains)

Then redirect if not. 

if (!empty($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], 'yourdomain.com') !== false) 
  { echo 'probably from your own site'; }
Community
  • 1
  • 1
jcolebrand
  • 15,889
  • 12
  • 75
  • 121
1

You could always set up something so that if a particular argument isn't passed in via GET or POST, the ajax page will just redirect you elsewhere.

In php, it'd look like

if(!isset($_POST['some_var']))
  header('Location: somePage.html');
Sam Dufel
  • 17,560
  • 3
  • 48
  • 51
  • How would I ad that here? $("ul#yearMenu li a").live('click',function(e) { e.preventDefault(); var $parent = $(this).parent(); $parent.addClass("selected").siblings().removeClass("selected"); var href = $(this).attr('href'); $("#tableContent").load(href); }); – Dirty Bird Design Oct 27 '10 at 02:19
  • Oh, I was thinking that it'd be better to do the check in php or some other server-side language. It's iffy trying to read post/get arguments from javascript. – Sam Dufel Oct 27 '10 at 02:25
  • so would my scheme of adding the header to the main page and checking for it on the AJAX pages be apropriate? Im calling the pages via jquery .load function – Dirty Bird Design Oct 27 '10 at 02:26
  • Can you help me a little more with the code? on the parent page I would have and on the AJAX pages would have correct? – Dirty Bird Design Oct 27 '10 at 02:50
  • I have it working to where if you hit the AJAX page url directly it redirects, but its not bringing in the AJAX page when you click the link now – Dirty Bird Design Oct 27 '10 at 02:54
  • 1
    Ah, no - to set the post variable, you have to send it via your ajax function - if it's easier, you can just use a GET instead and append a ?fo0=something to the end of the url of the ajax file – Sam Dufel Oct 27 '10 at 20:56
0

$$ zoe_daemon

you need "linker" file to open private file from parent page via AJAX.

/*this is simple "linker" file to open private file in folder named "private" from parent page via AJAX.*/
//begin linker.php
<?php
   $link = $_GET["link"];
   include "../private/$link.php";
?>
//end linker.php

and then, file in "private" folder need to check if request URI is not contained string "private"; that is not valid to the user who want to directly private file. for axample, "login.php" inside folder named "private" cannot be accessed directly if you put this code before operational code you want to put 

//begin login.php
$count = 0;
$test = str_replace("name_of_directory_cannot_directly","dummy_string",$_SERVER['REQUEST_URI'], $count ); //or
if ($count > 0) {
    die "Ooouuuppppsss, you cannot access this file directly");
}
/*
//your code here....
*/
//end login.php
zoe_daemon
  • 11