[RESOLVED] Check request came from local server?

djalecc

Hi Peeps 🙂

Hope everyone is having a merry christmas 😃

I'm just looking to find if there is a quick easy way to check inside a script if the request that triggered that script came from the local server, or another script running on the server...?

Problem:

I have a script that requires a xml script to be fetched, lets call the script that requires this script A.

I have a script, called script B that outputs the required information.

so, script A calls on script B for the info, problem is, if I call script A from any other site the info is also available to them.

I want to stop anyone else typing www.mydomain.com/script_B.php and it outputting the xml, unless the call came from the server! 🙂

:queasy:

bradgrafelman

if(__FILE__ == realpath($_SERVER["SCRIPT_FILENAME"])) 
    die('This file can not be accessed directly!');

NOTE: In case it's not clear, 'FILE' isn't something you're supposed to replace with a filename - it's a magic constant native to PHP.

djalecc

Thanks for posting,

It doesn't seem to work, I can't access the file by typing the URL anymore, but it seems the script A can't access it either. 😕

Any ideas?

bradgrafelman

How did you use it? It worked fine for me. Simple test:

file1.php:

<?php
if(__FILE__ == realpath($_SERVER["SCRIPT_FILENAME"])) die('same file');

echo "<hr>script 1<hr>";
?>

file2.php:

<?php
include 'file1.php';
?>

Output was as expected - 'script 1'.

NogDog

Should you apply realpath() to FILE as well, do you think (e.g., in case it's a symbolic link or such)?

djalecc

Thanks, I overcame the problem doing it another way...

When script 2 asks for data from script 1, it now passes a PHPSESSID along with it, which as it happens is already stored in the database for that user.

Script 2 receives the phpsessid via

$sess = $_REQUEST['sessid'];

Then checks the database to see if its there, if not, no page,😉 if it is, page is shown!🙂

Not what I wanted, but pretty secure as the phpSessid is always changing.

bradgrafelman

Just to respond to NogDog...

Originally I had realpath() applied to both, but did a bit of research and concluded that it was unnecessary for the FILE magic constant because of this ([man]language.constants.predefined[/man]) manual page discussing the constant:

PHP Manual wrote:
The full path and filename of the file. If used inside an include, the name of the included file is returned. Since PHP 4.0.2, FILE always contains an absolute path with symlinks resolved whereas in older versions it contained relative path under some circumstances.