Restricting access to a php script

**cyberking** · May 1 '07, 05:08 PM

Originally posted by guile

hi,
I have a script 1 that calls another script 2 when a form is submitted. both scripts belong to the admin side and the second one involves database modification.
how do i make sure that there are no loose ends?

one way is to put a check in script 2 so that it executes only when session variables are set to logged in.
another way is to check for the source that the form data came from....I'm not sure of how to check for it. is it through $_SERVER['HTTP_REFERER'] ?? is this way safe?

anyways, which works better? or should I use them in conjunction? or is there a better way for this?

Hi!
I dont understand your needs exactly. When it belong to the admin side, why dont you restrict the entry / access to this forms by hardcoding a login id and a password which only you know. Next by having a tiny login with user id and password, you can check if the hardcoded user id and password match, if yes, redirect to the admin (script 1 page) page, else redirect him to the users section.
Hope this helps you,
Regards
CyberKing
www.bytesandbyt es.com

**guile** · May 1 '07, 06:39 PM

hello cyberking,

i wrote about maintaining login sessions. i think that is the best possible way to restrict access.
but say you had somebody who has access to the admin area. how do you stop that person from writing a program/script to flood the script with requests?

has anybody ever checked for the page from which the request comes from? does it work? how do cms packages prevent their include files from being accessed in the wrong way?

**devsusen** · May 2 '07, 12:35 PM

Hi,

for the shake of security u can use the session or cookie. This provides u quite reliable security for ur system.

Now considering ur case scenario. Say person A have access to the admin area. Now he can enter there only by using the login system. Now say there is a script named test.php. A can run test.php using some program to flood it. I think this is ur telling.

Now to prevent running the script form out side, use some other script to define some global variable. test.php can check the existence the of the variable and then run the code inside. In ur system u will call the variable containing script to define thew vars globally. But A can't call the script from outside. This way u can make ur script secure from being accessed and executed form outside.

Originally posted by guile

i wrote about maintaining login sessions. i think that is the best possible way to restrict access.
but say you had somebody who has access to the admin area. how do you stop that person from writing a program/script to flood the script with requests?

has anybody ever checked for the page from which the request comes from? does it work? how do cms packages prevent their include files from being accessed in the wrong way?

susen

**guile** · May 3 '07, 07:07 PM

Originally posted by devsusen

Hi,

for the shake of security u can use the session or cookie. This provides u quite reliable security for ur system.

Now considering ur case scenario. Say person A have access to the admin area. Now he can enter there only by using the login system. Now say there is a script named test.php. A can run test.php using some program to flood it. I think this is ur telling.

Now to prevent running the script form out side, use some other script to define some global variable. test.php can check the existence the of the variable and then run the code inside. In ur system u will call the variable containing script to define thew vars globally. But A can't call the script from outside. This way u can make ur script secure from being accessed and executed form outside.

susen

Hi,
thanks for that response. I think PHPBB does something similar to ensure include files aren't executed in isolation. It sets up a variable in the master pages and puts a check at beginning of each include file.

I think I can combine both of these systems...check ing for the existence of the particular variable to make sure that file is being used inside some other script, and then checking if the session is set to logged in.

thanks

**devsusen** · May 4 '07, 12:21 PM

Hi,

yeh it s true. Not only phpbb but I have seen many other application in php uses this tecnique to protect the inside code from being accessed.

It seems to me that you have worked with phpbb forum. IMO this is really good forum to in all aspect.

susen

Restricting access to a php script

Restricting access to a php script

Comment

Comment

Comment

Comment

Comment