Re: [PHP] Re: limit access to php page
On 5/30/2013 10:22 AM, tamouse mailing lists wrote: So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. Once again - an additional truth provided. In my case, upon checking I see that setting was provided by my hoster and was set to null, so I was never aware of a possible restriction. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On May 30, 2013 8:10 AM, "Jim Giner" wrote: > > On 5/29/2013 9:38 PM, tamouse mailing lists wrote: > >> >> Okay, first off, your application *has* to have some entry point that >> *is* accessible to a browser; otherwise nothing will find it. >> > > Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. > > So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. > > My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
Re: [PHP] Re: limit access to php page
On 5/29/2013 9:38 PM, tamouse mailing lists wrote: Okay, first off, your application *has* to have some entry point that *is* accessible to a browser; otherwise nothing will find it. Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and executed. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On Wed, May 29, 2013 at 9:20 PM, Glob Design Info wrote: > On 5/29/13 6:14 PM, Jim Giner wrote: > >> On 5/29/2013 7:11 PM, Tim Dunphy wrote: >> >>> Hello list, >>> >>> I've created an authentication page (index.php) that logs into an LDAP >>> server, then points you to a second page that some folks are intended to >>> use to request apache redirects from the sysadmin group (redirect.php). >>> >>> Everything works great so far, except if you pop the full URL of >>> redirect.php into your browser you can hit the page regardless of the >>> login >>> process on index.php. >>> >>> How can I limit redirect.php so that it can only be reached once you >>> login >>> via the index page? >>> >>> Thank you! >>> Tim >>> >>> I would simply place my redirect.php script outside of the >> web-accessible tree. The user can never type that uri into his browser >> and have it work. >> > > I always see this answer a lot but never any sample code of how to include > that file using require_once() or include_once(). > > It would be nice to know the exact syntax of inclusion of such files. > > Say, for example if I put the login/redirect .php file 3-4 levels up from > my webroot. > > require_once('../../../redirect.php');
Re: [PHP] Re: limit access to php page
On Wed, May 29, 2013 at 8:20 PM, Glob Design Info wrote: > On 5/29/13 6:14 PM, Jim Giner wrote: >> >> On 5/29/2013 7:11 PM, Tim Dunphy wrote: >>> >>> Hello list, >>> >>> I've created an authentication page (index.php) that logs into an LDAP >>> server, then points you to a second page that some folks are intended to >>> use to request apache redirects from the sysadmin group (redirect.php). >>> >>> Everything works great so far, except if you pop the full URL of >>> redirect.php into your browser you can hit the page regardless of the >>> login >>> process on index.php. >>> >>> How can I limit redirect.php so that it can only be reached once you >>> login >>> via the index page? >>> >>> Thank you! >>> Tim >>> >> I would simply place my redirect.php script outside of the >> web-accessible tree. The user can never type that uri into his browser >> and have it work. > > > I always see this answer a lot but never any sample code of how to include > that file using require_once() or include_once(). > > It would be nice to know the exact syntax of inclusion of such files. > > Say, for example if I put the login/redirect .php file 3-4 levels up from my > webroot. Okay, first off, your application *has* to have some entry point that *is* accessible to a browser; otherwise nothing will find it. THe include/require(_once) directives take as an argument a file path including file name, there is no requirement they be in the same directory or lower as the calling file. So let's take this as a example: Application/webroot/index.php Application/includes/redirect.php Application/includes/login.php index.php: This the so-called single script entry style for designing your app. A consequence of this is that it makes bookmarking a bit different. One example of this is the PmWiki application. Everything runs through the main script (in this case it's called pmwiki.php instead of index.php, but that's immaterial here). Pages in the wiki are given on the path, such as: http://www.pmwiki.org/wiki/PmWiki/PmWiki, which makes it bookmarkable and work in the browser history. Others may not; it all depends on what you want. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On 5/29/2013 9:20 PM, Glob Design Info wrote: On 5/29/13 6:14 PM, Jim Giner wrote: On 5/29/2013 7:11 PM, Tim Dunphy wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim I would simply place my redirect.php script outside of the web-accessible tree. The user can never type that uri into his browser and have it work. I always see this answer a lot but never any sample code of how to include that file using require_once() or include_once(). It would be nice to know the exact syntax of inclusion of such files. Say, for example if I put the login/redirect .php file 3-4 levels up from my webroot. -d simply a require statement pointing to the script. PHP can load anything, http can only see the web tree. I personally have a std. set of code in my scripts that always creates a var that points to my document root (web root) and another that points to my php folder which is outside of the web root. As for the location - it need be only one level above or at a level parallel but outside of the web root. My hoster actually sets up their accounts with a 'php' folder at the same level as the "public_html" (web root) folder. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On Wed, May 29, 2013 at 8:14 PM, Jim Giner wrote: > On 5/29/2013 7:11 PM, Tim Dunphy wrote: >> >> Hello list, >> >> I've created an authentication page (index.php) that logs into an LDAP >> server, then points you to a second page that some folks are intended to >> use to request apache redirects from the sysadmin group (redirect.php). >> >> Everything works great so far, except if you pop the full URL of >> redirect.php into your browser you can hit the page regardless of the >> login >> process on index.php. >> >> How can I limit redirect.php so that it can only be reached once you login >> via the index page? >> >> Thank you! >> Tim >> > I would simply place my redirect.php script outside of the web-accessible > tree. The user can never type that uri into his browser and have it work. Depends on whether the redirect is by header or not, if it is via the Location header, then the browser has to be able to hit it. There is, though, a form of application architecture where everything is run through the index page, and it pulls things in via include/require as directed. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On 5/29/13 6:14 PM, Jim Giner wrote: On 5/29/2013 7:11 PM, Tim Dunphy wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim I would simply place my redirect.php script outside of the web-accessible tree. The user can never type that uri into his browser and have it work. I always see this answer a lot but never any sample code of how to include that file using require_once() or include_once(). It would be nice to know the exact syntax of inclusion of such files. Say, for example if I put the login/redirect .php file 3-4 levels up from my webroot. -d -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php