0

I have a form.php wich action call sql.php file like:

SQL.PHP

if ($_REQUEST['action'] == "add") {
}
if ($_REQUEST['action'] == "edit") {
}

I'm like to prevent direct access, because user can call from browser url: http://sql.php?action=add One way is check if a submit. Seem work well.

if( isset($_POST['Submit']) && ($_POST['Submit'] == "Submit") )
{
echo "direct access not allowed";
}

There is better alternatives?

user2307958
  • 349
  • 3
  • 14

2 Answers2

0

Use the $_SERVER['HTTP_REFERER'] array to detect if someone is accessing your page directly by typing in it into the browser, or comming from another one of your pages, by a use of links from a page.

So, basically. 

if($_SERVER['HTTP_REFERER'] == 'about.php'){
//let user do something
}

So, the $_SERVER['HTTP_REFERER'] global stores information of the pages you visit, and if you place echo that code, in your page, it will tell you from which page your are comming from. meaning, that if you only typed the page and access it, it will give 0/false value.

So, you can use it to detect if someone is directly typing the page or comming from one of your pages.

As others have indicated already, using tokens, and sessions would be a better idea since this method can be manipulated. So, I recommend you google them out

  • Referrers can easily be spoofed. – j08691 May 20 '13 at 03:00
  • @j08691 I could recommend him sessions also, but for a newbee this would be a basic/good choise. but, I'll throw in a mention of sessions –  May 20 '13 at 03:01
0

It should be if(!isset($_POST['Submit']) . Also if you use method="POST", it does not throw your parameters like ?action=add at the browser. method="GET" does it.

Amir
  • 4,089
  • 4
  • 16
  • 28