how to protect access to a php file?

1

Galea I'm using the Jquery auto-complete plugin. It works perfectly. I use jquery to call a php file that does the query in the Data Bundle.

I call it like this:

 $("#auto").autocomplete("Busca/Cadastros.php", {
        width: 500,
        multiple: false,
        matchContains: true,
        formatItem: formatItem,
        formatResult: formatResult
  }); 

The problem is that if I type the path of the file ('path / Search / Cadastros.php') in the browser it opens the query in the DB. How do I block this file? ie not be able to open it by the browser and that only my jquery open it.

Does anyone know how to do this?

    
asked by anonymous 24.11.2016 / 13:22

2 answers

2

If this request is POST in PHP you can do it first

if($_SERVER['REQUEST_METHOD'] == 'POST'){

   // Todo seu código

}

In this way, GET will not be able to access the URL through the browser's address bar. But I'm seeing other shapes too, since someone can do a CURL POST at that URL.

To verify that the request is AJAX:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {

   // É Ajax, faça seu código aqui.

}

It would be good for your autocomplete to do the POST request.

It's hard to think of all the checks, there will always be a way to circumvent the processes. Avoid what you know and do not worry so much about other things.

Backup exists for this. Restore also, which is more important than the backup itself.

Your code via POST and to send more parameters in POST:

In parameter data you define more variables. Remember that term is the past for PHP to search.

$("#birds").autocomplete({
    source: function (request, response) {
        $.ajax({
            type: "POST",
            url:"Busca/Cadastros.php",
            data: { 
                 term: request.term,
                 outra_variavel: valor_outra_variavel
            },
            success: response,
        },
    },
    width: 500,
    multiple: false,
    matchContains: true,
    formatItem: formatItem,
    formatResult: formatResult
});
    
24.11.2016 / 13:26
-1

Ideally, you should not put server files (ie PHP) inside the same folder or in "daughter" folders in the application. In this case, the path would be as follows:

$("#auto").autocomplete("../Busca/Cadastros.php", {
        width: 500,
        multiple: false,
        matchContains: true,
        formatItem: formatItem,
        formatResult: formatResult
  });

But of course, you need to limit access to anything outside of that scope. That way, it does not matter if the access is done by GET or POST, if the user tries a direct access, it will not be able to.

    
24.11.2016 / 13:30