仅允许从另一个.php文件访问.php文件，而不允许直接访问url

Question

I have two files stored in my local server in a folder, login.php and update.php. These two files are accessible from any location as long as they enter:

ip:port/folder/login.php

and

ip:port/folder/update.php.

What I am trying to do is prevent the users going to update.php by entering it in the url and only allow them to access the update.php file by first going to login.php ( login.php redirects them to update.php when a button is pressed).

I am kinda new to php and apache. I am not sure if this should be done in PHP or in .htaccess file and how.

Thanks in advanced!

Answer 1

You can use $_SESSION

// Let's say this is you update.php
session_start();

if (isset($_SESSION['email']) /* or something like that */)
{                     
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

// do whateven you need to do and set up $_SESSION variables 
// for example get the user entered info here

// This is how you set session variables
$_SESSION['username'] = ...;
$_SESSION['email']    = ...;

// Then after you did the registration part or something else you wanted to do
// You can redirect the user to any page you want
header("Location: some_other_page.php");

Every time user tries to enter the update.php right away, he or she will be redirected to login after they have logged out since the session is not there.

Hope this helped a little.

Answer 2

It is impossible to have a URL that a user can visit only sometimes.

If you want a login system, then do what everybody else does:

1. Set an identifying cookie on login
2. When a user visits a restricted page:
   1. Test that you have identified them
   2. Test that the identified user is authorised to view the page
   3. Redirect them to the login page or give them a not authorised response if either of the previous two conditions were failed

Answer 3

You can have it check the referral url. You can also create a user session, so when a user accesses update . php, a variable is verified. The session variable can be set to a correct value on login. Php.

Sessions allow you to store variables as people go from page to page on your website.

Answer 4

A great way to do this is with readfile .

<?php
// This is the path to your PDF files. This shouldn't be accessable from your
// webserver - if it is, people can download them without logging in
$path_to_pdf_files = "/path/to/pdf/files";

session_start();

// Check they are logged in. If they aren't, stop right there.
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] != true) {
    die("You are not logged in!");
}

// Get the PDF they have requested. This will only allow files ending in 'pdf'
// to be downloaded.
$pdf_file = basename($_GET['file'], ".pdf") . ".pdf";

$pdf_location = "$path_to_pdf_files/$pdf_file";

// Check the file exists. If it doesn't, exit.
if (!file_exists($pdf_location)) {
    die("The file you requested could not be found.");
}

// Set headers so the browser believes it's downloading a PDF file
header("Content-type: application/pdf");
header("Content-Disposition: inline; filename=$pdf_file");
$filesize = filesize($pdf_location);
header("Content-Length: $filesize");

// Read the file and output it to the browser
readfile($pdf_location);

?>

This was taken from wildeeo-ga 's answer on google answers.