avoid calling php script

13/03/2008, 03h55

Hello

I have a swf that runs a PHP script that generates a XML, on the PHP is
there any way to detect if the file is being called from the swf or from
the browser? because I want to avoid the file being run directly from
the browser or from any other file than the swf.

regards,
Hugo.

13/03/2008, 04h36

May the get_Browser function could tell you if it's from the .swf ?

http://us.php.net/manual/en/function.get-browser.php

H u g o H i r a m wrote:
> Hello
>
> I have a swf that runs a PHP script that generates a XML, on the PHP
> is there any way to detect if the file is being called from the swf or
> from the browser? because I want to avoid the file being run directly
> from the browser or from any other file than the swf.
>
> regards,
> Hugo.
>

13/03/2008, 05h15

At 3:55 AM +0100 3/13/08, H u g o H i r a m wrote:
>Hello
>
>I have a swf that runs a PHP script that generates a XML, on the PHP
>is there any way to detect if the file is being called from the swf
>or from the browser? because I want to avoid the file being run
>directly from the browser or from any other file than the swf.
>
>regards,
>Hugo.

You might want to check the HTTP_REFERER value; test the program from
a browser and the swf, and see what happens. Alternatively you could
use a GET parameter like

http://example.com/yourscript.php?calledby=swf

Be aware that anything sent back from the client can be spoofed - and
HTTP_REFERER can be altered or disabled - so it probably wouldn't be
hard for someone to make it appear to your script that it is being
called by your SWF.

If you're really concerned about restricting the communication
between the Flash movie and your server, there might be some way to
build a challenge-response mechanism into the flash; I don't know
much about it.

If, on the other hand, you just don't want to confuse someone who
might accidentally run the XML-generating script from the browser,
checking a GET parameter as above is probably the safest. If it's not
set properly, redirect the user, eg:

if (!isset($_GET['calledby']) || $_GET['calledby'] != 'swf') {
header('Location: http://example.com/thecorrectpage.html');
exit();
}
...

- steve

--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center sbedberg@ucdavis.edu |
| Bioinformatics programming/database/sysadmin (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+

13/03/2008, 05h20

H u g o H i r a m wrote:
> Hello
>
> I have a swf that runs a PHP script that generates a XML, on the PHP is
> there any way to detect if the file is being called from the swf or from
> the browser? because I want to avoid the file being run directly from
> the browser or from any other file than the swf.
>
> regards,
> Hugo.
>
Install Firebug extension for your Firefox browser
Load your page in the browser with firebug running
Watch the calls being made and that should answer the question

You can also look at the web server logs to see which page is calling
your script.

Wolf

13/03/2008, 21h38

HTTP_REFERER will do the job, thanks!

Hugo.
---

Steve Edberg escribió:
> At 3:55 AM +0100 3/13/08, H u g o H i r a m wrote:
>> Hello
>>
>> I have a swf that runs a PHP script that generates a XML, on the PHP
>> is there any way to detect if the file is being called from the swf or
>> from the browser? because I want to avoid the file being run directly
>> from the browser or from any other file than the swf.
>>
>> regards,
>> Hugo.
>
>
> You might want to check the HTTP_REFERER value; test the program from a
> browser and the swf, and see what happens. Alternatively you could use a
> GET parameter like
>
> http://example.com/yourscript.php?calledby=swf
>
> Be aware that anything sent back from the client can be spoofed - and
> HTTP_REFERER can be altered or disabled - so it probably wouldn't be
> hard for someone to make it appear to your script that it is being
> called by your SWF.
>
> If you're really concerned about restricting the communication between
> the Flash movie and your server, there might be some way to build a
> challenge-response mechanism into the flash; I don't know much about it.
>
> If, on the other hand, you just don't want to confuse someone who might
> accidentally run the XML-generating script from the browser, checking a
> GET parameter as above is probably the safest. If it's not set properly,
> redirect the user, eg:
>
> if (!isset($_GET['calledby']) || $_GET['calledby'] != 'swf') {
> header('Location: http://example.com/thecorrectpage.html');
> exit();
> }
> ...
>
> - steve
>

13/03/2008, 03h55	#1
H u g o H i r a m Messages: n/a Hébergeur:	avoid calling php script Hello I have a swf that runs a PHP script that generates a XML, on the PHP is there any way to detect if the file is being called from the swf or from the browser? because I want to avoid the file being run directly from the browser or from any other file than the swf. regards, Hugo.

13/03/2008, 04h36	#2
John Comerford Messages: n/a Hébergeur:	Re: [PHP] avoid calling php script May the get_Browser function could tell you if it's from the .swf ? http://us.php.net/manual/en/function.get-browser.php H u g o H i r a m wrote: > Hello > > I have a swf that runs a PHP script that generates a XML, on the PHP > is there any way to detect if the file is being called from the swf or > from the browser? because I want to avoid the file being run directly > from the browser or from any other file than the swf. > > regards, > Hugo. >

13/03/2008, 05h15	#3
Steve Edberg Messages: n/a Hébergeur:	Re: [PHP] avoid calling php script At 3:55 AM +0100 3/13/08, H u g o H i r a m wrote: >Hello > >I have a swf that runs a PHP script that generates a XML, on the PHP >is there any way to detect if the file is being called from the swf >or from the browser? because I want to avoid the file being run >directly from the browser or from any other file than the swf. > >regards, >Hugo. You might want to check the HTTP_REFERER value; test the program from a browser and the swf, and see what happens. Alternatively you could use a GET parameter like http://example.com/yourscript.php?calledby=swf Be aware that anything sent back from the client can be spoofed - and HTTP_REFERER can be altered or disabled - so it probably wouldn't be hard for someone to make it appear to your script that it is being called by your SWF. If you're really concerned about restricting the communication between the Flash movie and your server, there might be some way to build a challenge-response mechanism into the flash; I don't know much about it. If, on the other hand, you just don't want to confuse someone who might accidentally run the XML-generating script from the browser, checking a GET parameter as above is probably the safest. If it's not set properly, redirect the user, eg: if (!isset($_GET['calledby']) \|\| $_GET['calledby'] != 'swf') { header('Location: http://example.com/thecorrectpage.html'); exit(); } ... - steve -- +--------------- my people are the people of the dessert, ---------------+ \| Steve Edberg http://pgfsun.ucdavis.edu/ \| \| UC Davis Genome Center sbedberg@ucdavis.edu \| \| Bioinformatics programming/database/sysadmin (530)754-9127 \| +---------------- said t e lawrence, picking up his fork ----------------+

13/03/2008, 05h20	#4
Wolf Messages: n/a Hébergeur:	Re: [PHP] avoid calling php script H u g o H i r a m wrote: > Hello > > I have a swf that runs a PHP script that generates a XML, on the PHP is > there any way to detect if the file is being called from the swf or from > the browser? because I want to avoid the file being run directly from > the browser or from any other file than the swf. > > regards, > Hugo. > Install Firebug extension for your Firefox browser Load your page in the browser with firebug running Watch the calls being made and that should answer the question You can also look at the web server logs to see which page is calling your script. Wolf

13/03/2008, 21h38	#5
H u g o H i r a m Messages: n/a Hébergeur:	Re: [PHP] avoid calling php script HTTP_REFERER will do the job, thanks! Hugo. --- Steve Edberg escribió: > At 3:55 AM +0100 3/13/08, H u g o H i r a m wrote: >> Hello >> >> I have a swf that runs a PHP script that generates a XML, on the PHP >> is there any way to detect if the file is being called from the swf or >> from the browser? because I want to avoid the file being run directly >> from the browser or from any other file than the swf. >> >> regards, >> Hugo. > > > You might want to check the HTTP_REFERER value; test the program from a > browser and the swf, and see what happens. Alternatively you could use a > GET parameter like > > http://example.com/yourscript.php?calledby=swf > > Be aware that anything sent back from the client can be spoofed - and > HTTP_REFERER can be altered or disabled - so it probably wouldn't be > hard for someone to make it appear to your script that it is being > called by your SWF. > > If you're really concerned about restricting the communication between > the Flash movie and your server, there might be some way to build a > challenge-response mechanism into the flash; I don't know much about it. > > If, on the other hand, you just don't want to confuse someone who might > accidentally run the XML-generating script from the browser, checking a > GET parameter as above is probably the safest. If it's not set properly, > redirect the user, eg: > > if (!isset($_GET['calledby']) \|\| $_GET['calledby'] != 'swf') { > header('Location: http://example.com/thecorrectpage.html'); > exit(); > } > ... > > - steve >

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email