Protect call to php script

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • pmarg212
    New Member
    • Oct 2006
    • 2
    #1

    Protect call to php script

    Greetings,

    I use google maps' javascript method to retrieve XML.

    The call in maps.php looks like this: GDownloadUrl("f iles/sub.php?f=param .....")

    The url parameters are calculated at runtime based on the size of the google map displayed.

    sub.php takes the URL paramaters, queries a database, and prints the results as XML which are parsed by the javascript in maps.php. My question: how can I prevent a user from merely going directly to files/sub.php, setting his own parameters, and seeing whatever XML results he wishes? Is there a way to prevent a user from accessing the script directly but still allow a different page on my server to access it?

    Thanks for any advice you can provide,
    Paul
    Tags: None
    • steven
      New Member
      • Sep 2006
      • 143
      #2
      Originally posted by pmarg212
      Greetings,

      I use google maps' javascript method to retrieve XML.

      The call in maps.php looks like this: GDownloadUrl("f iles/sub.php?f=param .....")

      The url parameters are calculated at runtime based on the size of the google map displayed.

      sub.php takes the URL paramaters, queries a database, and prints the results as XML which are parsed by the javascript in maps.php. My question: how can I prevent a user from merely going directly to files/sub.php, setting his own parameters, and seeing whatever XML results he wishes? Is there a way to prevent a user from accessing the script directly but still allow a different page on my server to access it?

      Thanks for any advice you can provide,
      Paul
      Perhaps use PHP5. Set the sub.php inside a class and make it so that it can't be directly instantiated. Make the methods protected and accessible only to subclasses in the first php file that the users are allowed to access.

      In PHP4, I think you could do something similar. Make the sub.php into a class file, place a die(); at the beginning or the class but just instantiate the class from within the allowed php.

        Comment

        • ronverdonk
          Recognized Expert Specialist
          • Jul 2006
          • 4259
          #3
          Here are 2 more ways to accomplish this:

          1. start a session at the beginning of each script, session_start() , and save the ip address and the session id of the MAPS.PHP calling script in the $_SESSION array. The called script SUB.PHP verifies if the session id and the ip address are still as stored in $_SESSION.

          2. convert (encrypt) the url parameters in MAPS.PHP, in a format such as "sub.php?aku=DF gh4hfdg4454fgHF G" and decrypt them in SUB.PHP. See for this a package such as PHPSecureURL

          Ronald :cool:

            Comment

            • pmarg212
              New Member
              • Oct 2006
              • 2
              #4
              Thanks for your responses. The session variables have been helpful except where a single load of a page must access the external php script a number of times (based on triggers in the javascript).

              You mentioned "ip address...of the MAPS.php calling script" -- what variable is this? I seem to get the same IP address no matter which server variable I try. Which did you have in mind? Is there any other variable that might differ when a script is called directly vs through another script?

              Thanks again,
              Paul

              Originally posted by ronverdonk
              Here are 2 more ways to accomplish this:

              1. start a session at the beginning of each script, session_start() , and save the ip address and the session id of the MAPS.PHP calling script in the $_SESSION array. The called script SUB.PHP verifies if the session id and the ip address are still as stored in $_SESSION.

              Ronald :cool:

                Comment

                Previous template Next
                Working...