Stopping a piece of PHP from being accessed unless it is being called by something...

  • Thread starter Thread starter Bes
  • Start date Start date

Bes

Bes

Soldato
Joined
18 Oct 2002
Posts
7,318
Location
Melbourne
Hi

I have a php file which does some work with MagickWand based on a load of parameters passed to it by a form. It returns an altered image.

Is there a way I can configure Apache or the PHP so nothing can actually access the PHP code and make it do any processing unless it is called explicitly by a certain page (or pages from a certain directory)? I ask as I can see it being open to some abuse as things stand....

Thanks
 
Last edited:
There are a few forms (Only about 3 or 4 at the most) that access page.php.

They do this by including it in image tags and sending a number of parameters within the image tag (i.e. <img src="page.php?a=1&b=44&c=5">) etc. The parameters are built up as the user wishes using a Javascript- based form, so all the values are sanity checked, etc before being passed on. The PHP then uses magickWand to manipulate an image as per the parameters. The php code then returns the image in the image tags above.

I get what you are saying Dj_Jestar, so if I just have the MagickWand lines inside a file outside the reach of the public, then make PHP call it, I should be safe, as no one can run the code?

The only danger I still see is that someone can then just type into the address bar the URL of the PHP page, insert some massive values, or launch a DOS attack, and bring down my app... I can see how a session can prevent this, but not your method.

Thanks
 
Last edited:
Thanks for the great discussion guys, will go with the suggestion further up (nonces?).
I have to sanitise the input at the Javascript level so the user can see exactly what they are submitting (This is done by defaulting to what I think the user wants if they go outside the bounds of the input for fields where numerical stuff is needed, plus I am blocking non 0-9 characters, etc). I am also going to flood- control anything that calls the dangerous php file to prevent more than 1 request every 2 seconds or so.

Does this method mean I don't have to do any sanitising on my PHP, as the only way the user can hit the page is by submitting the correct token? or is it possible for a user to spoof the token once inside the session, and send my dangerous php file massive values?
 
Ok thanks

Unfortunately, due to the nature of my site, Ajax is pretty important to get everything looking nice and intuitive, but I am putting everything the user needs in divs, so should javascript be disabled, all the stuff should still load at the bottom of the screen, and most of it will work! (The site will be slightly crippled without it though).
 
Soldiers = pages. APC = Controller or Webserver.

I didn't realise the page would be used as an image source. Seems daft to need this security on the image source, instead of needing it on the page requiring the image in the first place.

But the point is that someone could just call the image source regardless, and as it takes CPU time to process images (And it can be a lot if loads of parameters are passed), could quite easily be used as the basis of a DOS attack. I just want to lock it down so only valid requests can be processed.
 
Back
Top Bottom