0

I'm using a jquery script that uploads files with ajax and PHP. It sends a request to upload_a_file.php which then uploads files.

Is there a way that I can make sure upload_a_file.php is not loaded directly in a browser?

I tried putting upload_a_file.php above my public_html folder. But can't seem to get javascript to load upload_a_file.php.

Here is the url format I use in the javascript to request upload_a_file.php:

../upload_a_file.php

Is it even possible to access files above public_html with javascript?

Improve this question
3
  • Is there a reason why you should disallow direct access? Commented Oct 14, 2011 at 19:29
  • So files can't be directly uploaded via upload_a_file.php Commented Oct 14, 2011 at 19:32
  • @animuson's comment below nailed it. Commented Oct 14, 2011 at 19:51

6 Answers 6

Reset to default
4

JS cannot access anything on a server that you yourself as a user cannot. If a file is outside of the site's document root, it is NOT accessible by a user, or by JS. Imagine the fun place the web would be if JS could magically bypass access restrictions on a server and grab any more. "Aww, I was going to grab this bank's accounts list, but it's not in the document root. Good thing I've got Javascript, it can do everything!"

It'd be like every episode of 24, where "patching into the subnet" can magically bypass any firewall and get data from machines which aren't even online or (better yet) not even powered up. Amazing things, those subnets.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I am seriously laughing out loud as I read that. Thanks for pointing out the ludicrous concept I had. :)
2

You can check the HTTP header X_REQUESTED_WITH is present and has a value of XMLHttpRequest. This is not non-standard header but most JavaScript frameworks, including jQuery, Prototype, and mootools follow this convention.

In PHP you can access it $_SERVER['HTTP_X_REQUESTED_WITH'];

for example:

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
{
 // do something   
}
Improve this answer

5 Comments

Headers can be faked really easily though
But it's not foolproof, and the proper answer is that it's impossible do this with 100% reliability.
Very true. I was only thinking from an application point of view and not a security point of view.
It's really impossible to guarantee the source of a file considering any part of the process could be faked. Even if you could guarantee that only your JavaScript could upload files (via some sort of private key authentication), someone could just manipulate your JavaScript. This header and validating the referrer are just simple things you can do to reduce your risk.
You really don't need to run this check. A proper system would be able to handle an upload request whether it was submitted to the actual page or via AJAX. The form should submit to the actual page in the event JavaScript is disabled; you shouldn't be forbidding access to it.
0

The javascript is running in the browser. It makes its requests through the browser. So, No, there's no way to access a page through ajax but not directly from the browser.

Improve this answer

Comments

0

No, not directly. You can call other script (PHP or whatever) that will either "call" your script with include or e.g. with fopen or curl.

Improve this answer

Comments

0

Nothing can access files above public_html, because the web server will not serve them. Doing so would have obvious security vulnerabilities, like being able to view any file on your filesystem.

If you want to restrict the file to only being able to be loaded via your javascript, I would think you'd want to look at the $_SERVER['HTTP_REFERER'] variable in php. This should be set to the page the javascript is located on when it is being accessed properly. If it is anything else or empty, the user is accessing it in some other manner.

Using this method shouldn't be relied on for security however, because the referer can be spoofed with the right tools.

Improve this answer

Comments

0

Since direct browser access to a page is a GET request by PHP, here is a very basic access control method to keep someone from inadvertently going directly to upload_a_file.php:

In your jquery script, use an ajax request with type "POST": 

$.ajax({
    url:      "../upload_a_file.php",
    dataType: "json",
    type:     "POST"
});

and use this in your upload_a_file.php: 

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    // upload a file
} else {
    header("Location: http://example.com/myPublicUploadPage.php");
    die();
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.