1

I want to prevent user to see directly PHP URL in Javascript. Example :

{
$.ajax(
{
    type: "POST",
    url: "search.php",
    data: dataString,
    cache: false,
    success: function(html)
    {
        $("#display").html(html).show();
    }
});
}return false;

Is it possible or any way to prevent user see the php URL when He/She view the source of my page ? Sometimes user maybe try to open the php url directly.

Thanks for helps.

Improve this question
6
  • So you mean like not allow the user to see a PHP URL? PHP is not available to the user, so even if they tried they wouldn't be able to see it. So can I assume you mean the POST variable correct? Commented Sep 20, 2012 at 1:28
  • I assume, you dont want user to see search.php . Its not possible. Everything js uses is on client side, and once something is on client side, you cannot hide it Commented Sep 20, 2012 at 1:31
  • 1
    @EduardoLávaque no, I mean when User want to see the source of my page, He/She can see the php url still in the source. Example in my post JS. search.php Commented Sep 20, 2012 at 1:32
  • @Jashwant So now how can We prevent the User open directly the PHP url ? Commented Sep 20, 2012 at 1:34
  • If your page is on a public server then anyone can get to it at any time with any parameters. It is, after all, public. Commented Sep 20, 2012 at 1:40

3 Answers 3

Reset to default
3

I (or any client) can still use any number of tools to figure it out (including the built-in debugger in 99% of the browsers built)--It's not worth obfuscating it.

If you're concerned about direct access, check for an AJAX request in your script. (Still hack-able, but it's a start). As also provided in a previous answer:

<?php

  $isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH'])
         && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
  if (!$isAjax) die('Unauthorized access');

  /* rest of search.php */
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yep, like Jashwant and Brad said, there isn't actually any way to hide it, and if there is then it's not perfect. :/
well the problem here is some web configuration doesn't allow the HTTP_X_REQUESTED_WITH header for some security reasons yiiframework.com/forum/index.php?/topic/…
0

As stated in comments,

How can We prevent the User open directly the PHP url ?

You should create a session of very long random string (token) in your php and pass it to the js ajax function, so that it sends the token along with the ajax request. On server side you can check if its the same token generated. You may want to expire the token soon.

I dont know, if its the standard way, but can provide you a start.

Improve this answer

1 Comment

The problem with a token is that any information that you pass off to javascript can be easily deciphered and imitated. Even if you make a new hash for ever request,t he algorithm that generates that hash is also visible. Long story short, if you want it protected, don't give the user access or visibility.
0

Ok to make things clear..

  1. Once its on the client-side(the browser) you can't hide it. Users can still download or view source the client-side return.
  2. Obfuscating is not really needed because you just make things complicated and not protecting anything.
  3. But anything that is server-side code(PHP) will not be shown as it is processed by the server-side and the server just return the results of execution of the server-side code.

well in case of your problem the thing you can do is to check whether the $_POST and $_GET parameters are valid upon reaching your PHP codes thus making every POST and GET request valid and safe. its somewhat like this

<?php
  if(isset($_POST['username']) && isset($_POST['password'])){
    //everything seems fine
    echo 'ok';
  }
  else{
  //someone is doing a direct acess
     header('index.php');
  }
?>

or check the sessions to protect your pages only for logged-in users

  <?php
      if(isset($_SESSION['userid'])){
        //everything seems fine
        echo 'ok';
      }
      else{
      //someone is doing a direct acess
         header('index.php');
      }
    ?>
Improve this answer

2 Comments

if I using your 2 ways, ok now I'm logged in, and what about if I open example search.php (inside maybe query of view any data) ?
well if the php is requested with valid request method and its parameters it can be still opened. the answer of @Brad Christie is a good start but I had encounter many problems about it because of some web server configurations that removes that header

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.