发表新帖
发表新帖

stop direct access (.htaccess) and allow ajax request to subfolder

后端 未结
关注
5 768
情书的邮戳
情书的邮戳 2020-12-20 01:42

I am trying to stop direct access to a subdirectories and the php files within subdirectories. I\'ve added the following code below to the .htaccess file within the subdirec

相关标签:
5条回答
  • 陌清茗
    2020-12-20 02:19

    You can use mod_rewrite to restrict access to all bet certain files in a directory. Add this to the .htaccess in that directory.

    RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !(jsonp)|(ws)|(ajax)
RewriteRule .* - [R=404,L]

    Just replace the jsonp ws ajax with the name of your files.

    0 讨论(0)
  • 太阳男子
    2020-12-20 02:25

    If your ajax function access some file that is inside that folder, you can't. As the AJAX is a requisition sent from the client browser.

    0 讨论(0)
  • 太阳男子
    2020-12-20 02:31

    I would put apache directives aside, and -perhaps- focus on a php-based solution:

    1. Make sure your file containing the jquery ajax call has a ".php" extension. (of course inside that file, all jquery must be contained within <script> and </script> tags.

    2. Inside your jquery function just before the ajax call, type that:

      <?php $_SESSION["allow"] = "granted" ?>

      (php tags run even if they are contained in "script" tags)

    3. Open your ajax (php) file and at the very top type this:

    <?php
 session_start();
 if((!isset($_SESSION['allow'])) && ($_SESSION['allow']!="granted")){die();}else
 unset($_SESSION['allow']);

 (...rest of your php code here...)

?>

    ... and you are Done!

    P.S. Naturally, you may (or better: should) rename the sessions and give them different or more complex values, but I was just trying to point out the basic idea... Happy coding!

    0 讨论(0)
  • 日久生厌
    2020-12-20 02:35

    I found simplest solution using session.

    • project_folder
      • index.php
      • sub_dir
        • db_config.php

    suppose you want to restrict direct access of your db_config.php,

    you can do like this. open your index.php from root and add this in first line of your code:

    $sess = session_start();
$_SESSION["nuclear_weapon_key"] = "lolva";

    now go to sub_dir -> open db_config.php add this one the top of the page:

    $sess = session_start();
if(isset($_SESSION['nuclear_weapon_key']) && $_SESSION['nuclear_weapon_key'] === "lolva"){ } else{ echo "LOL"; die();}

    repeat this for whatever ajax/jquery containing file/s.

    it worked for me.

    0 讨论(0)
  • 执笔经年
    2020-12-20 02:43

    Put this code in your DOCUMENT_ROOT/.htaccess file:

    RewriteEngine On

## disable direct access (but allow internal or AJAX requests)
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC] 
RewriteRule ^subdir(/|$) - [F,NC]

    Replace www.domain.com by your own domain name.

    Note that this uses %{HTTP_REFERER} header to do this blocking and it is possible to manipulate this header value.

    0 讨论(0)
 看不清?
提交回复
热议问题