Hi Manoj,

>   echo "<SCRIPT> document.location = 'include.php' </SCRIPT> ";


I think i could also use:
header('Location: include.php');
// you shouldn't print anything else before the header

Now your flag thing.
I the first place you could check
$_SERVER['HTTP_REFERRER']
gives you the page the user came from.

A other thing you could do is:
1) make een unique key ($key=md5(uniqid(rand(),1));)
2a) put that key in a session
--
session_start();
$_SESSION['key']=$key;
--
2b)give it througt as flag
header('Location: include.php?key='.$key);

3) Now you can do the check in your include:
--
session_start();
if($_SESSION['key']!=$_GET[key]) {echo 'forbidden to call
the  script direcly'; exit;}
--

This is saver the the referrer check but still not 100% proof.

The savest way is to put all in one file.

I will give you an example: Show the secret to evryone who filled in  Manoj

--
<?
if(!empty($_POST['username']))
{
         if($_POST['username']!='manoj'){$message='wrong!!!';}
         else
         {
         ?>
         <html>
         <body>
         Secret information in plain html
         </body>
         </html>
         <?
         exit;
         }
}
?>
<html>
<body>
<?
if(isset($message)){?><p align='center'><?=$message?></p><?}
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
username: <input type="text" name="username">
<input type="submit" value="show">
</form>
</body>
</html>
--

Notice: I haven't checked the code above.
You can put the html in the else clause in an seperated file and use
the script_name check discussed before.

Best regards,

Bas

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to