Ok,

basically, as part of a licensed script i am creating i have put in place PHP protections to stop the javascript being able to be viewed directly over the net. So my plan was to put the licensed javascript within a PHP file and so if the script was called from the allowed page via a <script src="javascript.php"> then all would be fine, but if someone tried to point their browser to javascript.php it would not display the contents of the file.

So how can i get PHP to check whether it is being accessed directly or whether it is being included as stated above?

Thanks

Oh, that will be difficult, I think.
Perhaps the only way to be able to decide wether the script is viewed directly with the browser or is included with <script>-Tags is the $_SERVER['REFERER'].
I checked all other Server-Variables and there is no difference.

The $_SERVER['HTTP_ACCEPT'] differes, too. Including the file with JavaScript there is only */*. Browsers _normally_ do have much more Accept Types.

But I think you won't be able to make this sure enough to ensure that nobody will see the script...

It's possible to make this with GET-Variables, too, but you'll be able to view the script directly putting the GET-Variable in the adress field of the browser.

Saludo
piz

thanks for the thoughts piz,

I had thought this would be difficult, but i cant think of any other way to prevent access to the script exept if you have direct access to teh files.

ultimately i realise that if people want it that badly they will find a way to get it. all im trying to do is stop viewers from being able to view the external file, but allow it to be usedby the script.

I had thought about doing the referrer method, i'll give that a try.

Could you elaborate on how HTTP_ACCEPT would differ, and what values normally occur?

Thanks :thumbsup:

Could you elaborate on how HTTP_ACCEPT would differ, and what values normally occur?

php.net: Contents of the Accept: header from the current request, if there is one.

My konquerer (per default) does send following Accept Header:
text/html, image/jpeg, image/png, text/*, image/*, */*

Headers of my Mozilla Firebird:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1'

You can Set those Headers in your Browserconfigurations.
Inlcuding with JavaScript seems to send the Headers */* only.

But I think it's better using REFERER, it seems to be more reliable.
The REFERER, if you link the script with script-tags is always the conplete path (http://domain.tld?request) of the file that includes the js file.
If you call it directly, it is the 'real' REFERER-page (which is '' if you type the url directly in your browser.)

You do realise that View Source on the page with the JS on will reveal it's contents... right?

Originally posted by me'
You do realise that View Source on the page with the JS on will reveal it's contents... right?

No, it won't. He is including the file with <script>-tags.
You'll only see the <script src="jacascript.php"> in the code. Ok, there you have the direct url to type in in the browser - and thats what he want to prevent.
Afaik there is no Browser which includes the js-Files directly in the source when going on "show source".... and it wouldn't make sense.

Ok, i have got it to restrict people from viewing the page directly using HTTP_REFERER.

now i want to stop the file being accessed from another server, what PHP glboal variable will give me the domain name or full URL of the PHP script so that i can then compare it to the REQUEST_URI?

Thanks

Ehm, maybe I'm a little dense, but isn't the domain in REQUEST_URI the same where your script is running on? After all, it just contains the URI of the file you're sending the request to, right?

The domain can be seen in $_SERVER['HTTP_HOST'], if my memory serves my right. Does that help? I'm a little confused by your request, because I can't see how REQUEST_URI does help you with your task. Did you mean to compare the HTTP_REFERER value to the domain where the script is running?

ok, basically yes you are right, in this case REQUEST_URI is the same as HTTP_HOST, however that is the idea, i am trying to prevent the script being accessed by being hotlinked from another server (as this would be a way to bypass the referrer check) so by comparing the two, i can find out whether the full url was used to request the file. if it was, then i can assume that it is being linked to from another domain as all users are instructed to use the relative path to reference the javascript.

Cheers :)

Originally posted by SpeedFreak
Ok,

basically, as part of a licensed script i am creating i have put in place PHP protections to stop the javascript being able to be viewed directly over the net. So my plan was to put the licensed javascript within a PHP file and so if the script was called from the allowed page via a <script src="javascript.php"> then all would be fine, but if someone tried to point their browser to javascript.php it would not display the contents of the file.

So how can i get PHP to check whether it is being accessed directly or whether it is being included as stated above?

Thanks

if you want to stop someone for example viewing your config.php but you want it to be able to be used in other scripts id use:

if($_SERVER['PHP_SELF']==='/config.php'){ header("Location: index.php"); }


of course you can edit this if youre only using it in one page, to be like != '/index.php';

yea. hope it helps

No, you can't use that, because we're not talking 'bout including a file like php style (include(...)), we're talking about including a javascript source file with the html tag <script>, and there $PHP_SELF will be always the filename of the javascript(-php)-file.

You can do it more difiicult to "hack" the file, by using those queries with the server variables like we discussed before. But as Javascript is a client language and the browser has to load the script completely to execute it, it will be always in the browser cache and it is a question of the user agent and the configuration to get the JavaScript code. There will be no way to hide it completely.

I heard that there is an extension for Mozilla which shows you the source of the included js Files ny viewing the source of the document, for example. Or you just save the complete Page with IE - the css and js sources will be saved, too. Or you just have a look at the browser cache directory...

Saludo
piz

I'm surprised this thread even got 10 replys...

Scrowler gave the answer to Speedfreaks question, although it is pointless (like almost everyone said) because you don't need to type in the url to get the files content.

All content that is processed by the UA can be viewed. Point finale.