Hi Manoj,
> echo "<SCRIPT> document.location = 'include.php' </SCRIPT> ";
I think i could also use:
header('Location: include.php');
// you shouldn't print anything else before the header
Now your flag thing.
I the first place you could check
$_SERVER['HTTP_REFERRER']
gives you the page the user came from.
A other thing you could do is:
1) make een unique key ($key=md5(uniqid(rand(),1));)
2a) put that key in a session
--
session_start();
$_SESSION['key']=$key;
--
2b)give it througt as flag
header('Location: include.php?key='.$key);
3) Now you can do the check in your include:
--
session_start();
if($_SESSION['key']!=$_GET[key]) {echo 'forbidden to call
the script direcly'; exit;}
--
This is saver the the referrer check but still not 100% proof.
The savest way is to put all in one file.
I will give you an example: Show the secret to evryone who filled in Manoj
--
<?
if(!empty($_POST['username']))
{
if($_POST['username']!='manoj'){$message='wrong!!!';}
else
{
?>
<html>
<body>
Secret information in plain html
</body>
</html>
<?
exit;
}
}
?>
<html>
<body>
<?
if(isset($message)){?><p align='center'><?=$message?></p><?}
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
username: <input type="text" name="username">
<input type="submit" value="show">
</form>
</body>
</html>
--
Notice: I haven't checked the code above.
You can put the html in the else clause in an seperated file and use
the script_name check discussed before.
Best regards,
Bas
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
