[Bocard]

Hi guys,

How's it going?

I have a problem and maybe someone can help me.

I have some files on the server which are protected using htaccess. My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality). Is there a way to specify that those protected files should be accessible if they are accessed from my form? Otherwise request password or something similar?
What are my options in order to be able to protect my files but still let them be accessed by the form (which is available for users)?


I posted my question here since my code is written in php, I am sorry if this is not the right place.

Thank you very much for your time.

[Dormilich]

for .htaccess there is no difference if your form tries to access the file or anyone else. both types are regular HTTP requests (there might be a possibility to exclude GET, but not POST, though that’s no guarantee either).

maybe the better possibility is to use an accessible Front Controller that accesses those files after verifying that the request is indeed coming from your form (e.g. by session, login or a validation code)

[KingCuddles]

Never being one to question Dormilich, unless I am missing something, could you not do something like:

order deny, allow
deny from all
allow from 11.11.11.11

Where 11.11.11.11 is your web servers IP?

Not 100% sure if this would work or not, I am sure a Apache guru will correct me!

Edit: Obviously you are using a form and I some how managed to miss that. Although Ajax may still allow you to do this?

This post has been edited by KingCuddles: 05 September 2012 - 07:50 AM

[StefanOnRails]

Bocard, on 05 September 2012 - 02:57 PM, said:

My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality).

Do you really need to protect that controller.php?
Why don't you just check if( isset($_POST['submit']) ) and die('Some error') / redirect the user if not? I usually don't protect my php files via htaccess to avoid this kind of problems.

This post has been edited by StefanOnRails: 05 September 2012 - 08:30 AM

[Bocard]

Thank you all for the replies, I will see what I can do...so far i haven't decided how to approach this.

StefanOnRails, on 05 September 2012 - 05:29 PM, said:

Bocard, on 05 September 2012 - 02:57 PM, said:

My problem is that I have a form (php) which will be used by clients to submit some data and this form accesses some files which are protected (e.g. controller.php where I'm querying the db to check if the email is in the database and other types of functionality).

Do you really need to protect that controller.php?
Why don't you just check if( isset($_POST['submit']) ) and die('Some error') / redirect the user if not? I usually don't protect my php files via htaccess to avoid this kind of problems.

I can't do that since some of the functionality of the Controller.php is returning some values from the db to Ajax to let the user know if his email is in our system or not. If it's not, he can't use it.

[Dormilich]

@KingCuddles: for the server there is no difference between a form’s request and an AJAX’s request.

[no2pencil]

As indicated in the topic, this is an Apache question, & not a php coding question. Moving to Web Servers & Hosting.

[StefanOnRails]

Bocard, on 05 September 2012 - 07:54 PM, said:

I can't do that since some of the functionality of the Controller.php is returning some values from the db to Ajax to let the user know if his email is in our system or not. If it's not, he can't use it.

So your data is sent via Ajax? OK, I see 2 possible solutions for your issue:

• Add your 'submit' value to your POST list manually:
  

  $("form#user_form").submit(function(){
  	var form_data = $(this).serializeArray();
  	form_data.push({name: 'submit', value: true});
  	$.post("your_page.php",form_data,function(data){
  		...
  	});
  	return false;
  });
  	
  

  and then you can check if( isset($_POST['submit']) ). On the second thought, if your request is sent immediately after the user enters the e-mail (so you don't press the submit button), you can add custom variables inside your $.post function:

  $.post("your_page.php",{yourVarName: "someValue"},function(data){ 
  ... 
  });
  

  and then, of course, you can check if the PHP var $_POST['yourVarName'] is set.
  
  
• Solve the problem server-side by adding the following check:
  

  // Block non-Ajax access
  if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'){
  ...
  }else die('Non-Ajax');
  

I read somewhere that the second approach works only because Javascript libraries such as JQuery send that request header, so it may not work if your Ajax request is sent via pure Javascript (however, I never tested without JQuery, so it may not be entirely true).

This post has been edited by StefanOnRails: 06 September 2012 - 02:37 AM