从直接访问保护文件
[英]Secure files from direct access
问题描述
I have hosted a site, the documents suggest to put files under folder public_html . 
我已经托管了一个网站,文档建议将文件放在文件夹public_html 。 I have three files index.php (view page), common.js , and result.php(php) in root folder. 我在根文件夹中有三个文件index.php (查看页面), common.js和result.php(php) 。 On clicking a button in index.php (view) file will trigger an ajax function to result.php . 在index.php (查看)文件中单击一个按钮时,将触发一个ajax函数到result.php 。
The problem is everyone can access the result.php directly... 问题是每个人都可以直接访问result.php ...
I trying to make folder structure, that all php files( result.php ) are in folder behind root. 我试图使文件夹结构,所有的php文件( result.php )都在根后面的文件夹中。 So it will not accessed directly from browser using rewrite rule or anything else. 因此,将不会使用重写规则或其他任何方法直接从浏览器访问它。
Please help me to solve this issue... 请帮我解决这个问题...
3 个解决方案
解决方案1
2 已采纳 2012-07-29 16:08:40
To make a file only acccessible via ajax you can use: 要使文件只能通过ajax访问,可以使用:
public static function isAjax() {
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH']=="XMLHttpRequest");
}
It returns true or false. 它返回true或false。 Basically if it returns true then let the user carry on otherwise stop them. 基本上,如果返回true,则让用户继续进行,否则将其停止。
Word of caution: Not all JS libraries/frameworks actually set this header but most do (JQuery, Mootools etc) and not all versions so make sure you have the latest version of a library/framework before you use this. 温馨提示:并非所有的JS库/框架实际上都设置了此标头,但大多数(JQuery,Mootools等)都设置了此标头,并且不是所有版本,因此请确保在使用此库之前具有库/框架的最新版本。
Plus if the user spoofs your headers then there is no real way to stop them. 另外,如果用户欺骗您的标头,则没有阻止它们的真正方法。
I tend to use this as a precursor for stopping AJAX pages from being visible publicly. 我倾向于以此作为阻止AJAX页面公开显示的先驱。 I also use parameter integrity checking and a random hash stored in session (CSRF type thing) to check if the user is legitamately accessing an AJAX page. 我还使用参数完整性检查和会话中存储的随机哈希(CSRF类型的东西)来检查用户是否合法访问AJAX页面。
解决方案2
1 2012-07-29 16:10:48
You can't protect it by moving it around, because there is no way to distinguish if a request to result.php was triggered by a legitimate AJAX call from index.php except for a session (or some other type of token). 您无法通过移动它来保护它,因为除了会话(或其他某种类型的令牌)之外,没有其他方法可以区分对result.php的请求result.php是由来自index.php的合法AJAX调用触发的。
You need to use a php session (or something equivalent) to: 您需要使用php会话(或等效的会话)来:
- Store what the use has access to (in index.php). 存储使用权限(在index.php中)。
- Check if he has access to it in (result.php) 检查他是否有权访问(result.php)
解决方案3
0 2012-07-29 16:09:59
您无法通过ajax来访问文件,然后无法通过正确的浏览器请求来访问文件,因为Ajax调用的行为与网络浏览器的行为相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.