Answer the question
In order to leave comments, you need to log in
E
E
evve2015-02-16 12:12:20
evve, 2015-02-16 12:12:20
How to block access to php scripts from the address bar?
upd: I want to warn everyone who wants to answer this question. I'm unexpectedly "lucky" and my question is being moderated by FanatPhp, a champion of justice and righteousness in php! To avoid receiving negative comments about my personality from FanatPhp, please do not try to answer this question. More specifically, you can see in the comments...
FanatPhp special thanks for moderating the answers to my question. Perhaps you have some knowledge of php, but it is not noticeable. Because all your comments come down to commenting on the personalities of the people who answer, and not to specific indications of what is wrong in their answer. It would be much more helpful if you commented on people's decisions rather than their personalities. Instead of "you are a fool and your answer is stupid", but "Your DECISION is not correct, for the following reasons: ...." .
However, the issue is no longer relevant. I won’t delete the post, I want to leave your comments as an example, they characterize your personality very much.
================================================= ===================================
Good day!
The form on the site is sent via ajax script php/rest.php How to prohibit the launch of the script from the address bar sitename.com/php/rest.php, and allow the launch only from ajax.
I tried to redo the nginx config, set the launch ban, even set the priority of the rules first, nothing helps.
Here is my config:
server {
listen X.X.X.X:80;
server_name sitename.com;
access_log /home/username/logs/nginx_access.log;
error_log /home/username/logs/nginx_error.log;
root /home/username/www;
client_max_body_size 256M;
location ~ /php/(.+)\.php$ {
deny all;
}
location / {
index index.html;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.html?q=$1 last;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/sitename.sock;
fastcgi_index form.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 120;
include fastcgi_params;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
}Even tried putting it first:
location = /php/rest.php {
deny all;
} 6 answer(s)
@FanatPHP
READING How does PHP work, where is it executed? , we think a lot about the meaningfulness of such a formulation of the question
@SilenceOfWinter
@OnYourLips
@LestaD
F
FanatPHP, 2015-02-16 @FanatPHP
How to disable script launch from sitename.com/php/rest.php address bar, and allow launch only from ajax.
READING How does PHP work, where is it executed? , we think a lot about the meaningfulness of such a formulation of the question
A
Anton Shamanov, 2015-02-16 @SilenceOfWinter
Add a "token" check, the presence of the HTTP_X_REQUESTED_WITH header.
O
OnYourLips, 2015-02-16 @OnYourLips
It doesn't make any sense and can be bypassed.
If you are interested in the issue of security, then you need to check the admissibility of actions.
S
Sergey Sova, 2015-03-04 @LestaD
After loading the page, the client receives a specific identifier. Let's call it token
Each time the page is requested and the page is updated, the token is updated. For example, like this:
1. A request has come, increase the counter of ajax requests
2. Generate $token = md5(sha1($user->name . SPECIFYSOLT . $user->ajax_count));
3. Give to the client
It is possible to forge a request, but it is more difficult and only one (or you can use a series of the form (request-response-request))
You can also simply check for $_POST data in the /php/rest.php file and that's it.
But if important data or security is needed, then I wrote one option above.
Similar questions
M
S
M
M
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question