how to prevent PHP's file_get_contents( )

Question

one of my php page returns data like this:

but someone else use file_get_contents() to get m

Answer 1

you can also use sessions. if somewhere in your application, before the user gets the json data, you start a session, then in this page where you are outputting json data, you can check for the session variable. this way only users that have passed the session generator page, can view your output. suppose you have page A.php that generates the session. use this code before outputting anything in this page.

session_start();
$_SESSION['approvedForJson'] = true;

then in your page where you are outputting json data, before outputting anything, call session_start() again. the beginning of your PHP code is a good place to call it. then before outputting the json data, check if the session variable for approved users exists, or not.

if ( isset($_SESSION['approvedForJson']) && $_SESSION['approvedForJson'] ) {
    echo "json data";
} else {
  // bad request
}

Answer 2

You could also using .htaccess with apache block every external request to the page if it get's called internally or block every request that is not from your domain:

Google search thingie

EDIT
You could also use some php file which includes the file which can not be read. So for example you have file.php:

<?php
 $allowedFiles[] = 'somefile.php';
 $allowedFiles[] = 'someotherFile.php';
 $allowedFiles[] = 'jsonReturnFile.php';
 if(in_array($_GET['file'], $allowedFiles)){
  include( "include/".$_GET['file'] );
 }
?>

Then you can allow file_ get _contents() on that file and write a rewriteRule in your .htacces to disallow any request to the include/ folder.

RewriteRule include* - [F,NC]

That will return a 403 forbidden error for a request to that directory or any file in the directory.

Then you can do you JSON request to something like: file.php?file=jsonReturnFile.php&someothherParamReadByJsonFile=1

And when someone tries to get the file contents for the JSON file they will get the forbidden error, and getting the file contents for the include.php won't return anything usefull.

Answer 3

You can use $_SERVER['REMOTE_ADDR'] to get the address of the client address. You can also check $_SERVER['HTTP_REFERER'] and block external requests that way, but it's less reliable. There's probably a few other techniques involving $_SERVER that you can try.

Answer 4

Your fighting an uphill battle here. I am assuming your serverside process that responds in json is being consumed via javascript in your users browsers... so there is no easy way to encrypt it. You might try some of the techniques used to prevent xspf (see http://en.wikipedia.org/wiki/Cross-site_request_forgery ). If you developed the client to pass along some session token that is uniq per client you could reduce some of the problem. But, chances are whoever is stealing your data is gonna figure out whatever mechanism you put in place ... assuming this is some sort of ajax type thing. If its a server-server thing then as sli mentions, setting up some restrictions based on the remote ip would help, plus setting up some sort of API authentication tokens would help even more (see oauth for some pointers)