0

There is a php script located in my website's directory, this script runs when some forms on my pages are filled with data and user clicks submit button. But there is a problem: you can type in address bar, for example mywebsite.com/php/test.php, then php script runs and does some stuff. So, how to prevent this?

Dharman
  • 30,962
  • 25
  • 85
  • 135
  • Which server are you using? Apache? – gabriel garcia Jun 06 '20 at 12:22
  • The obvious solution is to add some sort of authentication or authorisation check. Or maybe a CSRF token or a captcha would be sufficient, depending on the circumstances. Or put the script outside the public folder, if the form isn't posting back directly to it – ADyson Jun 06 '20 at 12:43

3 Answers3

0

The answers of Mudit Kashyap and Rohit Sahu are wrong and not reliable.

  1. The Client Request Header Field HTTP_X_REQUEST_WITH is not reliable because not every Client sends it. It is not a standard.

  2. The Client Request Header Field HTTP_REFERER is not reliable because there are situation when no Referer is sent or the user blocked to send it.

The only way to block the execution of the script for direct access is to check if a form is sent or not - if not then abort the execution of the script on the start of it.

// if you send your form with POST 
if(empty($_POST)) {
    die("Access without a form sent using POST");
}

// if you send your form with GET
if(empty($_GET)) {
    die("Access without a form sent using GET");


// if you send your form with POST but also allow GET
if(empty($_REQUEST)) {
    die("Access without a form sent using REQUEST");
ChrisG
  • 202
  • 2
  • 13
  • Of course someone can still just post values to the form from somewhere else. I'd say some authentication or maybe a captcha would be more effective. – ADyson Jun 06 '20 at 12:40
  • @ChrisMaster thanks for clarification, noted your points – Rohit Sahu Jun 06 '20 at 12:53
  • What's the difference though really? It doesn't matter where the access comes from, if it's vulnerable it's vulnerable. The address bar was potentially mentioned because the OP maybe didn't realise there might be other ways to access it too, so I thought it might be good to mention that as well. And I didn't downvote you btw. It was meant as a helpful comment but for no apparent reason you decided to be rude. But you must suit yourself of course, although people won't bother to try and improve or make suggestions to your benefit, if you take that kind of tone – ADyson Jun 06 '20 at 12:55
  • Posts from other location to his script are possible... everybody can post to everything online.. , this is clear and also it is clear that he has to validate the values he receive - this he has to do with a normal post using his form too. This is not a point. But he asked for a direct access from the addressbar using his location - this means.. no form posted and thats it. If you are not the downvoter then sorry for this point. – ChrisG Jun 06 '20 at 13:02
  • Apology accepted. But what's the point of only fixing one simple vulnerability when you're well aware of others? A proper bit of security would fix the issue being directly asked about _and_ the wider access problem in one go. Consider also that people don't always ask about what they really mean, either because they get caught up in one specific issue which masks a wider problem or because they lack the experience/knowledge to recognise that there's a bigger issue - I suspect this is one such case potentially where OP perhaps didn't understand about non-browser HTTP requests, for example. – ADyson Jun 06 '20 at 13:12
  • P.s. you're perfectly right about the requested-with and referer fields, I just don't think this suggestsion is all that much better – ADyson Jun 06 '20 at 13:17
  • You are right. With the fact that you are not the downvoter i dont have anything to say against your advice. Yes a annoying captcha would be a solution. A authentication could also helps. But you are just 100% safe if you turn off your server and stop writing scripts :-) I think if someone ask that simple question, nobody helps him with advices regarding more technical things. I doubt he is on the level to use them - other readers might have a win out of it. But still, yes you are right, every advice is helpful. – ChrisG Jun 06 '20 at 13:28
-2

add this code before the php scripts inside that directory

if (!isset($_SERVER['HTTP_REFERER'])) {
   header('location: index.php');
}

if the user directly put the file address in url bar, than no referrer page will be found. Means if the user directly opened that page from the url bar, and this will redirect the user to somewhere. Hope it helps

Rohit Sahu
  • 284
  • 5
  • 15
-2

You can prevent direct access easily if you are calling test.php using ajax then follow this code-

Add this code in test.php

if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) )
{
    //add your test.php code here
} else {
    //die();
}
Mudit Kashyap
  • 37
  • 6