Do not let the php file access via browser [duplicate]

1

Speak, I'm having a problem, I'm making a system that generates points for the members only to generate it, it has to wait for 30 seconds on a specific page, after that 30 seconds I use (script) to call this file . so there is always a smart guy who likes to search the source code and if he finds the file that is in the script there already it will put in the browser and keep giving enter and generating points without waiting the 30 seconds. p>

And then somebody has some hint of how I can block this file, so that it only works via js and in that specific page.

I did the test so I put it in .htaccess

<FilesMatch "gerapontos\.php$>
order allow,deny
deny from all
</filesmatch>

It blocked on the hour, plus tb blocked for me to call it via js. :

    
asked by anonymous 13.07.2016 / 18:25

2 answers

2

Here are two alternatives that make this task of the "smart guy who likes to search the source code" difficult in this context.

1 - Here it guarantees that it can only generate every 30 secs:

gerapontos.php:

session_start();
if(!isset($_SESSION['last_time'])) {
    $_SESSION['last_time'] = time();
}

if(time() - $_SESSION['last_time'] > 30) {
    //gerar pontos
    $_SESSION['last_time'] = time();
}

2 - Here you guarantee that the user has to go to the initial page and receive points only every 30 secs. On the main page:

session_start();
$_SESSION['token'] = md5(time());
if(!isset($_SESSION['last_time'])) {
    $_SESSION['last_time'] = time();
}

In js do post instead of get:

$.post("gerapontos.php", {token: "<?= $_SESSION['token']; ?>"});

gerapontos.php:

if(isset($_POST['token'], $_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {

    if(isset($_SESSION['last_time']) && time() - $_SESSION['last_time'] > 30) {
       // gerar pontos
       unset($_SESSION['token']);
       $_SESSION['last_time'] = time();
    }
}

As @Bacco mentioned here > a more complete answer, but for a subject not as simple as this

    
13.07.2016 / 19:48
0

You can send a POST with a "key" and check the page that generates the points. If the key is correct, it generates. If not, it sends you to another page or it presents an error.

    
13.07.2016 / 19:27