0

I have a website project where the right hand side of each page is being called from the includes folder that contains an input field and a button. Once the user clicks on the button a php script is run and depending on the result from the script the user is redirected to a thankyou-success.php or a thankyou-failure.php file. These files are located in the root folder. I would like to prevent the user from directly typing the url to these paths and seeing the success or failure message directly. How can the user be prevented from such direct access?

At the moment I am redirecting to the files as follows:

//if found this email in our database
if($count==1)
{
header('Location: thankyou-success.php');
}
else 
{
//echo "Cannot send Confirmation link to your e-mail address";
header('Location: thankyou-failure.php');
}

The two php files being called are exactly the same except for the text message displayed. I have removed the <head> tag to keep things simple and clear. The content of the file is as follows:

<body>
    <!-- header start here -->

   <?php include("includes/header.php") ?>             

    <!-- header end here -->

    <!-- page title start here -->
    <section id="pagetitle-container">
        <div class="row">
            <div class="twelve columns">
                <div id="pagetitle-border">
                <div id="breadcrumb">
                        <ul>
                        <i class="fa fa-caret-right"></i> &nbsp;
                            <li><a href="index.php">Home</a></li>


                        </ul>
                    </div>
                 <p>&nbsp;<br></p>

                 <div class="twelve columns">
                <p>Unable to send the activation email to the email address provided. Please confirm and try again.</p>

                </div>
            </div>
        </div>
    </section>
    <!-- page title end here -->

    <!-- content section start here -->
    <section id="content-wrapper">      
        <div class="row">




            </div>            
        </div>      
    </section>
    <!-- content section end here -->

    <footer>    

    <?php include("includes/footer.php") ?>

          </footer>  

<script>$('#noscript').remove();</script>





<!-- pageloader part 2 start -->




<!-- pageloader part 2 ends -->


</body>
</html>
Sarah
  • 1,895
  • 2
  • 21
  • 39
  • 1
    Use sessions. If the session is set allow user to access page. other wise not. – Gowri Mar 26 '14 at 06:30
  • ^ rather than cop the overhead of using sessions, just set a variable in your main script and check for it at the top of any included files, as per the first response here: http://stackoverflow.com/questions/1340001/deny-direct-access-to-all-php-files-except-index-php – flauntster Mar 26 '14 at 06:34
  • Can you give us a brief idea on what is actually there in the `thankyou-failure.php` and `thankyou-success.php`? That way I can suggest a method for easy denying direct access. – Tzar Mar 26 '14 at 06:47
  • @Tzar please see the `Edit` in the question above for these details. – Sarah Mar 26 '14 at 06:59

2 Answers2

0

You can move these files outside your web root, and include from the php script that runs on button click.

Your docroot is defined in your web server configuration. Assuming your docroot is /var/www/website/public, you need to move the files that you do not want direct access to somewhere outside this folder like: /var/www/website/files/. Then, from your main script you need to include these files rather than redirecting the user:

main.php:

if ($success) {
  include(dirname(__FILE__) . '/../files/thankyou-success.php';
} else {
  include(dirname(__FILE__) . '/../files/thankyou-failure.php';
}
mesutozer
  • 2,839
  • 1
  • 12
  • 13
  • Can you explain this further please? – Sarah Mar 26 '14 at 06:33
  • This won't work too! The user is redirecting to those php files! Means his php files contain the complete code. How will it work then? – Tzar Mar 26 '14 at 06:39
  • That should not be a problem if nothing is printed on current page. That can be accomplished according to the design – mesutozer Mar 26 '14 at 06:41
0

One way is to use $_SESSION. On submit of your form, you can do:

$_SESSION['result'] = TRUE;

And in thankyou-success.php, you can do:

if ($_SESSION['result']) {
  echo "Success";
  unset($_SESSION['result']);
}
else {
  echo "How did you get here?";
}
msound
  • 445
  • 3
  • 7
  • This won't work.. Once the session is set, the user can still access the file directly! – Tzar Mar 26 '14 at 06:37