Web Analytics Made Easy -
StatCounter How to detect whether a PHP page is being viewed directly or not? - CodingForum

Announcement

Collapse
No announcement yet.

How to detect whether a PHP page is being viewed directly or not?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to detect whether a PHP page is being viewed directly or not?

    Ok,

    basically, as part of a licensed script i am creating i have put in place PHP protections to stop the javascript being able to be viewed directly over the net. So my plan was to put the licensed javascript within a PHP file and so if the script was called from the allowed page via a <script src="javascript.php"> then all would be fine, but if someone tried to point their browser to javascript.php it would not display the contents of the file.

    So how can i get PHP to check whether it is being accessed directly or whether it is being included as stated above?

    Thanks

  • #2
    Oh, that will be difficult, I think.
    Perhaps the only way to be able to decide wether the script is viewed directly with the browser or is included with <script>-Tags is the $_SERVER['REFERER'].
    I checked all other Server-Variables and there is no difference.

    The $_SERVER['HTTP_ACCEPT'] differes, too. Including the file with JavaScript there is only */*. Browsers _normally_ do have much more Accept Types.

    But I think you won't be able to make this sure enough to ensure that nobody will see the script...

    It's possible to make this with GET-Variables, too, but you'll be able to view the script directly putting the GET-Variable in the adress field of the browser.

    Saludo
    piz
    www.united-scripts.com
    www.codebattles.org

    Comment


    • #3
      thanks for the thoughts piz,

      I had thought this would be difficult, but i cant think of any other way to prevent access to the script exept if you have direct access to teh files.

      ultimately i realise that if people want it that badly they will find a way to get it. all im trying to do is stop viewers from being able to view the external file, but allow it to be usedby the script.

      I had thought about doing the referrer method, i'll give that a try.

      Could you elaborate on how HTTP_ACCEPT would differ, and what values normally occur?

      Thanks

      Comment


      • #4
        Could you elaborate on how HTTP_ACCEPT would differ, and what values normally occur?
        php.net: Contents of the Accept: header from the current request, if there is one.

        My konquerer (per default) does send following Accept Header:
        text/html, image/jpeg, image/png, text/*, image/*, */*

        Headers of my Mozilla Firebird:
        text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1'

        You can Set those Headers in your Browserconfigurations.
        Inlcuding with JavaScript seems to send the Headers */* only.

        But I think it's better using REFERER, it seems to be more reliable.
        The REFERER, if you link the script with script-tags is always the conplete path (http://domain.tld?request) of the file that includes the js file.
        If you call it directly, it is the 'real' REFERER-page (which is '' if you type the url directly in your browser.)
        www.united-scripts.com
        www.codebattles.org

        Comment


        • #5
          You do realise that View Source on the page with the JS on will reveal it's contents... right?
          David House - Perfect is achieved, not when there is nothing left to add, but when there is nothing left to take away. (Antoine de St. Exupery).
          W3Schools | XHTML Validator | CSS Validator | Colours | Typography | HTML&CSS FAQ | Go get Mozilla Now | I blog!

          Comment


          • #6
            Originally posted by me'
            You do realise that View Source on the page with the JS on will reveal it's contents... right?
            No, it won't. He is including the file with <script>-tags.
            You'll only see the <script src="jacascript.php"> in the code. Ok, there you have the direct url to type in in the browser - and thats what he want to prevent.
            Afaik there is no Browser which includes the js-Files directly in the source when going on "show source".... and it wouldn't make sense.
            www.united-scripts.com
            www.codebattles.org

            Comment


            • #7
              Ok, i have got it to restrict people from viewing the page directly using HTTP_REFERER.

              now i want to stop the file being accessed from another server, what PHP glboal variable will give me the domain name or full URL of the PHP script so that i can then compare it to the REQUEST_URI?

              Thanks

              Comment


              • #8
                Ehm, maybe I'm a little dense, but isn't the domain in REQUEST_URI the same where your script is running on? After all, it just contains the URI of the file you're sending the request to, right?

                The domain can be seen in $_SERVER['HTTP_HOST'], if my memory serves my right. Does that help? I'm a little confused by your request, because I can't see how REQUEST_URI does help you with your task. Did you mean to compare the HTTP_REFERER value to the domain where the script is running?
                De gustibus non est disputandum.

                Comment


                • #9
                  ok, basically yes you are right, in this case REQUEST_URI is the same as HTTP_HOST, however that is the idea, i am trying to prevent the script being accessed by being hotlinked from another server (as this would be a way to bypass the referrer check) so by comparing the two, i can find out whether the full url was used to request the file. if it was, then i can assume that it is being linked to from another domain as all users are instructed to use the relative path to reference the javascript.

                  Cheers

                  Comment


                  • #10
                    Re: How to detect whether a PHP page is being viewed directly or not?

                    Originally posted by SpeedFreak
                    Ok,

                    basically, as part of a licensed script i am creating i have put in place PHP protections to stop the javascript being able to be viewed directly over the net. So my plan was to put the licensed javascript within a PHP file and so if the script was called from the allowed page via a <script src="javascript.php"> then all would be fine, but if someone tried to point their browser to javascript.php it would not display the contents of the file.

                    So how can i get PHP to check whether it is being accessed directly or whether it is being included as stated above?

                    Thanks
                    if you want to stop someone for example viewing your config.php but you want it to be able to be used in other scripts id use:
                    PHP Code:
                    if($_SERVER['PHP_SELF']==='/config.php'){ header("Location: index.php"); } 
                    of course you can edit this if youre only using it in one page, to be like != '/index.php';

                    yea. hope it helps
                    php & asp tutorials - the birthplace - biorust - photoshop and web technologies

                    Comment


                    • #11
                      No, you can't use that, because we're not talking 'bout including a file like php style (include(...)), we're talking about including a javascript source file with the html tag <script>, and there $PHP_SELF will be always the filename of the javascript(-php)-file.

                      You can do it more difiicult to "hack" the file, by using those queries with the server variables like we discussed before. But as Javascript is a client language and the browser has to load the script completely to execute it, it will be always in the browser cache and it is a question of the user agent and the configuration to get the JavaScript code. There will be no way to hide it completely.

                      I heard that there is an extension for Mozilla which shows you the source of the included js Files ny viewing the source of the document, for example. Or you just save the complete Page with IE - the css and js sources will be saved, too. Or you just have a look at the browser cache directory...

                      Saludo
                      piz
                      www.united-scripts.com
                      www.codebattles.org

                      Comment


                      • #12
                        I'm surprised this thread even got 10 replys...

                        Scrowler gave the answer to Speedfreaks question, although it is pointless (like almost everyone said) because you don't need to type in the url to get the files content.

                        All content that is processed by the UA can be viewed. Point finale.
                        Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

                        Comment

                        Working...
                        X