Stopping a piece of PHP from being accessed unless it is being called by something...

Bes · 8 Apr 2008 at 23:31

Hi

I have a php file which does some work with MagickWand based on a load of parameters passed to it by a form. It returns an altered image.

Is there a way I can configure Apache or the PHP so nothing can actually access the PHP code and make it do any processing unless it is called explicitly by a certain page (or pages from a certain directory)? I ask as I can see it being open to some abuse as things stand....

Thanks

Bes · 9 Apr 2008 at 00:54

Butters said:
Do you know about PHP sessions?

No I'm quite new to PHP.

Bes · 9 Apr 2008 at 12:09

Thanks all... The token approach sounds pretty bulletproof to me.

Bes · 9 Apr 2008 at 12:16

jdickerson said:
.... Nothing's bulletproof But that is a pretty neat solution.

No but no one is gonna care enough to bother trying to crack it

Bes · 9 Apr 2008 at 22:10

There are a few forms (Only about 3 or 4 at the most) that access page.php.

They do this by including it in image tags and sending a number of parameters within the image tag (i.e. <img src="page.php?a=1&b=44&c=5">) etc. The parameters are built up as the user wishes using a Javascript- based form, so all the values are sanity checked, etc before being passed on. The PHP then uses magickWand to manipulate an image as per the parameters. The php code then returns the image in the image tags above.

I get what you are saying Dj_Jestar, so if I just have the MagickWand lines inside a file outside the reach of the public, then make PHP call it, I should be safe, as no one can run the code?

The only danger I still see is that someone can then just type into the address bar the URL of the PHP page, insert some massive values, or launch a DOS attack, and bring down my app... I can see how a session can prevent this, but not your method.

Thanks

Bes · 9 Apr 2008 at 23:44

Thanks for the great discussion guys, will go with the suggestion further up (nonces?).
I have to sanitise the input at the Javascript level so the user can see exactly what they are submitting (This is done by defaulting to what I think the user wants if they go outside the bounds of the input for fields where numerical stuff is needed, plus I am blocking non 0-9 characters, etc). I am also going to flood- control anything that calls the dangerous php file to prevent more than 1 request every 2 seconds or so.

Does this method mean I don't have to do any sanitising on my PHP, as the only way the user can hit the page is by submitting the correct token? or is it possible for a user to spoof the token once inside the session, and send my dangerous php file massive values?

Bes · 9 Apr 2008 at 23:52

Good point, hadn't thought that the user could just disable js!

Bes · 10 Apr 2008 at 00:28

Ok thanks

Unfortunately, due to the nature of my site, Ajax is pretty important to get everything looking nice and intuitive, but I am putting everything the user needs in divs, so should javascript be disabled, all the stuff should still load at the bottom of the screen, and most of it will work! (The site will be slightly crippled without it though).

Bes · 10 Apr 2008 at 12:57

Dj_Jestar said:
Soldiers = pages. APC = Controller or Webserver.

I didn't realise the page would be used as an image source. Seems daft to need this security on the image source, instead of needing it on the page requiring the image in the first place.

But the point is that someone could just call the image source regardless, and as it takes CPU time to process images (And it can be a lot if loads of parameters are passed), could quite easily be used as the basis of a DOS attack. I just want to lock it down so only valid requests can be processed.