如何prevent PHP页面被直接访问？ [英] How to prevent a PHP page from being accessed directly?

问题描述

下面是我使用一个AJAX脚本的一部分一个JavaScript片段。我如何prevent user_back_end_friends.php被直接访问？我不希望人们能够去domain.com/user_back_end_friends.php~~V，看到好友列表。

Below is a javascript snippet that I am using as part of a AJAX script. How do I prevent user_back_end_friends.php from being accessed directly? I don't want people to be able to go to domain.com/user_back_end_friends.php and see a list of friends.

Javascript的code：

Javascript Code:

<script type="text/javascript">
    $(document).ready(function() {
        $("#user_friends").tokenInput("/user_back_end_friends.php", {
            theme: "sometheme", userid: "<?php echo $id; ?>"
        });
    });
</script>

这是我发现了什么，但不知道如何使用JavaScript code以上实现它：

This is what I found but not sure how to implement it with the javascript code above:

我用这个页面我需要调用它：

I use this in the page I need to call it in:

$included=1;include("user_back_end_friends.php");

当我不得不prevent直接访问我使用的：

When I have to prevent direct access I use:

if(!$included){ die("Error"); }

但我怎么添加这个$包含的脚本在我的JavaScript code部分？

But how do I add this $included part of the script in my javascript code?

推荐答案

有保护的javascript code没有意义的，你需要保护只在服务器端code。

There is no point in protecting javascript code, you need to protect only the server-side code.

总之，我觉得你的做法是不正确的;如果你已经有一个登录用户/用户ID，我只是将使用用户ID从会话，而不是由的JavaScript提供的用户ID。这样，有没有办法任何人都可以篡改它。

Anyway, I think your approach is not the right one; if you already have a logged-in user / a user ID, I would just use the user ID from the session instead of a user ID that is supplied by the javascript. That way there is no way anybody can tamper with it.

所以，你可以与你的开始页面：

So you could start your page with:

session_start();
if (isset($_SESSION['user_id'))
{
  // do stuff with the user ID
}
else
{
  // display error message?
}

这篇关于如何prevent PHP页面被直接访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！