• Jobs
  • About Us
  • professionals
    • Home
    • Jobs
    • Courses and challenges
  • business
    • Home
    • Post vacancy
    • Our process
    • Pricing
    • Assessments
    • Payroll
    • Blog
    • Sales
    • Salary Calculator

0

97
Views
Prevent Direct access to PHP file using AJAX

I want to prevent direct access to a certain PHP file called prevented.php My logic is that I have a main file lets call it index.php and it generates a token and stores it in a $_SESSION variable. I also have a another file called def.php which is called using AJAX and it passes the token from the index.php to the def.php and if the $_SESSION['token'] is equal to the $_POST['token'] it defines a _DEFVAR and returns true otherwise it returns false. After I called the def.php and it returns true, I redirect to the prevented.php via javascript using location.href="prevented.php". In the top of the prevented.php file there is a code which checks if the _DEFVAR is defined or not. If not, its die with a message like invalid otherwise it displays the content of the prevented.php file. But somewhy I always get invalid message and I don't know why. Any idea how to reach the prevented.php without directly direct the page?

Here's my code:

index.php

<?php
  $_SESSION["token"] = hash_hmac('sha256', "tokenString", "t2o0k0e0n3"); // Creates a hashed token
?>
<script>
    $.ajax({
      type: "POST",
      url: "def.php",
      data: {
         token: '<?php echo $_SESSION["token"]; ?>'
      },
      cache: false,
      success: function(data) {
          console.log (data);
          if (data) {
            console.log (data + ' valid');
          } else {
            console.log (data + ' invalid');
          }
          location.href = "prevented.php";
      },
      error: function () {
        console.log('error');
      }
   });
</script>

def.php

<?php
    session_start();
    if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) {    
       echo false;
       die('invalid in def');
    } else {
      define('_DEFVAR', 1);
      echo true;
      die ('valid in def');
    }
?>

prevented.php

<?php
   include "def.php";
   if (defined('_DEFVAR')) {
    die ('valid in prevented'); // instead of this I would show the content of the page
   } else {
       die ('invalid in prevented');
   }
?>
almost 3 years ago · Juan Pablo Isaza
1 answers
Answer question

0

Your code is unnecessarily overcomplicated. If your intent is merely to ensure that visitors to protected.php have first visited index.php then all you need to do is create a session flag in one and check for its existence in the other. There is no need for any AJAX or any form POSTs. The innate behavior of PHP sessions already gives you this functionality.

index.php:

<?php
session_start();
$_SESSION['flag'] = true;
?>
<a href="protected.php">click here for the protected page</a>

protected.php:

<?php
session_start();
if ($_SESSION['flag'] ?? false) {
    echo "you have previously visited index.php";
} else {
    echo "you have not previously visited index.php";
}
?>
almost 3 years ago · Juan Pablo Isaza Report
Answer question
Find remote jobs

Discover the new way to find a job!

Top jobs
Top job categories
Business
Post vacancy Pricing Our process Sales
Legal
Terms and conditions Privacy policy
© 2025 PeakU Inc. All Rights Reserved.

Andres GPT

Recommend me some offers
I have an error