Prevent access to php file

by brentb
7 replies
I have a form behind user authentication that submits to a php file. I am worried people will stop paying for my service yet still send values (via the url or creation of their own form) to the php file directly.

How can I prevent this?
#access #file #php #prevent
  • Profile picture of the author mmstud
    You can't put php file behind authentication?

    You could check where people come in to the script, check referee. If it comes from your site or ip, then allow execution.

    But this depends totally what kind of configuration you have on your system at the moment...
    {{ DiscussionBoard.errors[4862760].message }}
    • Profile picture of the author mattdean
      If you're using normal Linux authentication and the file is in a secured directory taking someone out of the authentication file would disallow them from using any files in that directory.

      If you wanted another method you could set a cookie when they login and then check for that cookie at the top of every page.
      {{ DiscussionBoard.errors[4863345].message }}
      • Profile picture of the author brentb
        Good suggestion... I will try and see about implementing the cookie.

        The issue is that the script runs completely standalone on its own server but the input comes from within a Joomla CMS install on another server. So the webform the inputs come from is locked down however the script itself is not.
        {{ DiscussionBoard.errors[4864019].message }}
  • Profile picture of the author SupporTech
    please use an htaccess to hide php files!
    {{ DiscussionBoard.errors[4895556].message }}
  • Profile picture of the author KabanaSoft
    like mmstud said, as long as the first server is always the server that sends requests to your PHP file...then you could implement IP checking code at the top of the PHP file and only accept requests that come from the IP address of your first server. That way if a user manually tries to access your PHP script, your code can just reject the request since its coming from an IP that is not from your main server...
    {{ DiscussionBoard.errors[4896087].message }}
    • Profile picture of the author kdavies
      I may be wrong here but if they're no longer a member then they should be listed as such, and so no matter how they try to login, the site shouldn't let them in.
      {{ DiscussionBoard.errors[4896420].message }}
  • Profile picture of the author Codez
    lock cookies to session id for that user so when cookie expires so does session and thus they must login again to access said form.
    {{ DiscussionBoard.errors[4904118].message }}

Trending Topics