Member Avatar for Buppy

Hi,

I have a file index.php with script on a link, which opens new window with myfile.php, using JS window.open method. The page itself is based on PHP. What i need to do is to prevent direct access to that JS popup window file. For example, if i press a link in the index.php file like "Press here to open the window", it opens that window with myfile.php inside. If i type it directly - myserver.com/myfile.php, it should display an error or something. With includes it's easy to prevent, however, this is a new window and it does not receive other information than $_GET[] from index.php file, and $_GET[] is easy to surpass.

Thanks

  • 4 Contributors
  • 5 Replies
  • 215 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by Buppy

Recommended Answers

All 5 Replies

Member Avatar for Buppy

Small bump. Anyone has any ideas?

Member Avatar for mschroeder

Speculating here, but you could possibly make it check the referrer. I'm not sure if window.open will pass a referrer though.

Member Avatar for charlybones

The only way that I've prevented direct access before is by using the session variables.

You have to use session_start(); on your index.php. Then in the file "myfile.php" do a check

if(!isset($_SESSION['username']))
header("Location: index.php");

to redirect to index.php.

I suggest you look online on how to set the session variables for an anonymous user etc.

Member Avatar for diafol

Why don't you just have a link set with target="_blank"?

The referrer will then be clear (http://www.mysite.com/index.php).

<?php
if(!isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] != "http://www.mysite.com/index.php"){
  echo "Smart Alec - what you trying to do?"
}else{
...display page...
}
?>

You may be tempted to just check against index.php, using basename(), but I think that would open the link to easy spoofing. There are ways around HTTP_REFERER anyway - a combination of this with a session variable may be useful. You don't have to have a login system to use sessions though.

Edited by diafol because: n/a
Member Avatar for Buppy

Even this is a window.open method, the $_SERVER thing works perfectly.

Thanks

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.