2

I want to know if there is any way through which I can restrict access to my controller functions through URL. But I want to give them a call through my link in the site. For example if I have a link in my site which points to a controller function:

<a href='test/function'>Call me</a>

But I don't want the controller function to be called when I place the above URL in my browser address bar. Can anyone help with this?

Improve this question
6
  • the <a> tag is doing exactly what you want to restrict Commented Jan 19, 2013 at 13:19
  • I didn't get you. I want the function to be called when I click "Call me" link. But when I paste the url "mysite/test/function" in my address bar, I don't want the function to be called. Commented Jan 19, 2013 at 13:25
  • 1
    What's the purpose? Are you loading some content via AJAX or something? Then I would recommend using something like a key which you can attach to a data-attribute. Commented Jan 19, 2013 at 13:27
  • @Marcus: Yes, I am loading via AJAX. What do you mean by a key and attribute attached? Commented Jan 19, 2013 at 13:29
  • If you use Ajax, hide the href of this a and set the URL in the js code. Commented Jan 19, 2013 at 14:11

5 Answers 5

Reset to default
3

This is not possible. Apache and, consequently CodeIgniter, is allowing access to your PHP script to the outside world whether through a manually entered browser URL or through a visited hyperlink. Both scenarios connect to your web application in the exact same way, but they just get there differently.

You can allow access to only your CodeIgniter scripts (i.e. prevent public users from accessing a controller) by using:

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

As Marcus has pointed out, you could use something like:

if (!$_SERVER['HTTP_REFERER']) $this->redirect('/home');

But it's often very inconsistent.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Solution: put this code at the beginning of every controller method

if (defined('BASEPATH') && !$this->input->is_ajax_request()) 
    exit('No direct script access allowed');
Improve this answer

1 Comment

Nice, but user can still alter the ajax request and do a mess if that function works globally. For example a global function to update, wich receive the name of table and other parameters that can be easily changed trough google developer tools. Did I got to far?
0

As you stated in the comment, that if you want to load the link via AJAX:

Your markup:

<a href="test/function" data-key="abc">

Your jquery:

$('a').on('click',function(){
    var data = $(this).data('key');
    $('#result').load($(this).attr("href") + '?key=' + data);
});

Then in you CodeIgniter controller, you check to see if your key is present and matches ("abc"), else you return a 403 or something simillar.

Also, you could of course check the $_SERVER['HTTP_REFERER'] to see where the user came from (this is however quite easily spoofed) and only allow access when the GET-request is made from your own site.

Improve this answer

Comments

0

This really helped. I also added this as an added check 

$allowed_host = gethostname();
$host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
if(substr($host, 0 - strlen($allowed_host)) != $allowed_host)
  $this->redirect('/home');`
Improve this answer

Comments

0 
 In view: `<input type="hidden" value="1" name="back">`

 put inside your function in Controller: 


if(($this->input->post('back'))==1)
              {
                echo " what you want do here";
              }
              else
              {
                 $this->load->view('template',array('welcome_page')) ;
              }

form validation you will put inside this if condition..This will definitely work..

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.