Home/ Questions/Q 8993799
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T23:16:32+00:00

I’ve a PHP document, let’s say jsonarray.php. This file returns the json_encode of an

  • 0

I’ve a PHP document, let’s say jsonarray.php.

This file returns the json_encode of an associative array when some parameters are given.
I need to forbid an unwanted user to access and use this file for his own purposes.

Is this possible?

In addition, I want to specify that it is a client-side request, which I make in a JavaScript code.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    if you are looking this from another PHP file, you can set BASEPATH constant there & add the following line in top of all the files you need to protect:

    defined('BASEPATH') OR exit('No direct script access allowed');

    so if the file is accessed from that particular file, BASEPATH is set & everything works. But incase of some url directly tried to access, script would terminate.

    If you are calling it this from Javascript — other option is
    to add nonce token to every javascript request which is basically a randomly generated unique token that is valid for single request. see Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for more details.

    here is a example taken from here:

        function create_api_key(){
        return base64_encode(base64_encode($this->encrypt(time().'X'.$_SERVER['REMOTE_ADDR'])));
    }

    function check_api_key($key,$timeout=5){
        if(empty($key)){ exit('Invalid Key'); }

        $keys=explode('X',$this->decrypt(base64_decode(base64_decode($key))));

        if (isset($key) && isset($keys[0]) && $keys[0] >= (time()-$timeout) &&
        isset($keys[1]) && $keys[1] == $_SERVER['REMOTE_ADDR']){
            return true;
        }else{
            return false;
        }
    }

    function encrypt($value){
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'SECURE_KEY', $value, MCRYPT_MODE_ECB, $iv);
    }

    function decrypt($value){
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'SECURE_KEY', $value, MCRYPT_MODE_ECB, $iv));
    }
}

$csrf = new csrf_check();

if(!empty($_GET['do'])){

    $do = $_GET['do'];
    switch($do){
            //example.com?do=get - a key for the request
        case "get":
            echo $csrf->create_api_key();
            break;

        case "check":
            //key only lasts 30 secs & validate key passed
            //example.com?do=get&key=MEV6NXk4UjVRQXV5Qm1CMjBYa3RZZUhGd2M0YnFBUVF0ZkE5TFpNaElUTT0=
            if(!empty($_GET['key']) && $csrf->check_api_key($_GET['key'],30)){
                exit('Key valid');
            }else{exit('Key invalid');}
            break;

        default:
            exit('Request invalid');
            break;
    }
}

    • 0