0

I'd like to create /admin.php page, which would have AJAX request, sent over to /core/adm/index.php, that's easy, basic AJAX request will do just that. But I don't want any direct access to /core/adm/index.php, I want it to be accessed only by AJAX request from /admin.php.

Is there a way to forbid any other access? Answer is not, it's never possible to fully block someone off, while you're connected to internet. But is there a way to make it cost quite some effort? If it will cost 5 minutes of effort and jungling through the code, it will probably block off 90% of people out there.

For example, if I want to make someone pay lots of effort to get my logo. I make <img src="pixel.png" id="thelogo" /> and then in CSS, I would assign base64 based image with background-image:;.

Back to my case, is there a way to make someone take lots of effort to get to /core/adm/index.php any other way? Something that will say "Do not let ANYBODY see any data from you. Except, exclusively from localhost/admin.php's AJAX ONLY $_REQUEST[]."

It's not like page itself contains something that can't be revealed (SESSION's will solve that).

Edited by Aeonix

3
Contributors
8
Replies
23
Views
2 Years
Discussion Span
Last Post by Aeonix
0

For example, if I want to make someone pay lots of effort to get my logo. I make <img src="pixel.png" id="thelogo" /> and then in CSS, I would assign base64 based image with background-image:;

everything displayed on the page, is downloaded to the user
nothing in any code prevents that
everything visible is accessible
you don't want it copied, don't put it on the page
the "lots of effort" described above, is about 3 seconds

Edited by almostbob

1

I'd probably choose to allow only POST'ing to the script (die on a GET request), and when rendering the page add a token which needs to be sent in the POST header.

Votes + Comments
Hits the spot.
0

and jazz up the token, relative to request time, ip, browser etc, so the token becomes one-shot. many security tokens are ineffective

Edited by almostbob

0

the "lots of effort" described above, is about 3 seconds

It takes me solid 20 seconds to do that >:D, but even you have to admit, it takes a couple more clicks than just right-click and "Save Image", it tends to turn people down quite easily, not all of 'em of course, but majority.

I'd probably choose to allow only POST'ing to the script (die on a GET request), and when rendering the page add a token which needs to be sent in the POST header.

Very smart, haven't thought of that. It solves the issue. Just one question, how do I die(); on $_GET[]? Could you shake some small example?

Edited by Aeonix

1

facepalm So easy, yet I haven't found it out. Someone call my brain's on holiday, I need it. I knew count(); dammit! Makes me look stupid! Never liked this function anyways.

Edited by Aeonix

0

irfanview, probably any graphic viewer that can use photoshop plugins can view base64 as the original image
View source, copy, paste

Edited by almostbob

1

Yes, because everybody these days knows, that they should open, certain part of this flat text into Ifranview,

url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7);

Like I said, everybody knows how to right-click and download the image.
Not everybody knows that they need to copy the part after , into base64 decoder. That's still some slight layer of protection.

Are we really sitting here discussing about how badly we can't protect the image file?

Of course everybody still can access it, but I can also put heavy safe on the street with millions in it, it's way better than having all this cash lying just on the ground. Even though entire safe can be stolen, it takes effort, time and basic knowledge. Making it some kind of protection measurement. Better than having it lying on the ground, where everybody can easily take it.

Votes + Comments
I hadn't considered how many DON'T know (not as crooked as me?), I spend too much time surrounded by plagiarists. Kudos simple, is good
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.