[英]Prevent Direct access to PHP file using AJAX
I want to prevent direct access to a certain PHP file called prevented.php
My logic is that I have a main file lets call it index.php
and it generates a token and stores it in a $_SESSION
variable.我想阻止直接访问某个名为
prevented.php
的文件 PHP 我的逻辑是,我有一个主文件,我们称之为index.php
,它生成一个令牌并将其存储在$_SESSION
变量中。 I also have a another file called def.php
which is called using AJAX and it passes the token from the index.php
to the def.php
and if the $_SESSION['token']
is equal to the $_POST['token']
it defines a _DEFVAR
and returns true otherwise it returns false.我还有一个名为
def.php
的文件,它使用 AJAX 调用,它将令牌从index.php
传递到def.php
,如果$_SESSION['token']
等于$_POST['token']
它定义了一个_DEFVAR
并返回 true,否则返回 false。 After I called the def.php
and it returns true, I redirect to the prevented.php
via javascript using location.href="prevented.php"
.在调用
def.php
并返回 true 后,我使用location.href="prevented.php"
通过 javascript 重定向到prevented.php
。 In the top of the prevented.php
file there is a code which checks if the _DEFVAR
is defined or not.在
prevented.php
文件的顶部有一个代码检查_DEFVAR
是否被定义。 If not, its die with a message like invalid
otherwise it displays the content of the prevented.php
file.如果不是,它会死掉并显示一条类似
invalid
的消息,否则它会显示prevented.php
文件的内容。 But somewhy I always get invalid
message and I don't know why.但是为什么我总是收到
invalid
消息,我不知道为什么。 Any idea how to reach the prevented.php
without directly direct the page?知道如何在不直接引导页面的情况下到达
prevented.php
吗?
Here's my code:这是我的代码:
index.php
<?php
$_SESSION["token"] = hash_hmac('sha256', "tokenString", "t2o0k0e0n3"); // Creates a hashed token
?>
<script>
$.ajax({
type: "POST",
url: "def.php",
data: {
token: '<?php echo $_SESSION["token"]; ?>'
},
cache: false,
success: function(data) {
console.log (data);
if (data) {
console.log (data + ' valid');
} else {
console.log (data + ' invalid');
}
location.href = "prevented.php";
},
error: function () {
console.log('error');
}
});
</script>
def.php
<?php
session_start();
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {
echo false;
die('invalid in def');
} else {
define('_DEFVAR', 1);
echo true;
die ('valid in def');
}
?>
prevented.php
<?php
include "def.php";
if (defined('_DEFVAR')) {
die ('valid in prevented'); // instead of this I would show the content of the page
} else {
die ('invalid in prevented');
}
?>
Your code is unnecessarily overcomplicated.您的代码不必要地过于复杂。 If your intent is merely to ensure that visitors to
protected.php
have first visited index.php
then all you need to do is create a session flag in one and check for its existence in the other.如果您的目的只是为了确保
protected.php
的访问者首先访问了index.php
,那么您需要做的就是在一个中创建一个 session 标志并检查它在另一个中是否存在。 There is no need for any AJAX or any form POSTs.不需要任何 AJAX 或任何形式的 POST。 The innate behavior of PHP sessions already gives you this functionality.
PHP 会话的固有行为已经为您提供了此功能。
index.php:索引.php:
<?php
session_start();
$_SESSION['flag'] = true;
?>
<a href="protected.php">click here for the protected page</a>
protected.php:保护.php:
<?php
session_start();
if ($_SESSION['flag'] ?? false) {
echo "you have previously visited index.php";
} else {
echo "you have not previously visited index.php";
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.