hiding files with php

时间:2018-06-28 22:07:36

标签: php node.js .htaccess

I can't wrap my head around this, and it is SO frustrating. I have no idea how I'd be solving my problem.

I use sockets to connect with my NodeJS server, and I use PHP for routing people to the correct pages. When I route someone to the admin page I check if he is allowed to continue, if so I'll redirect him, if not I won't. Now here's the issue, people can just go to mywebsite.com/browser/admin.html and read everything that's in the admin panel (just the layout and stuff). I don't want people to be able and visit my admin panel to see what admins can do and can't do.

Can I do this in any way? E.g. only show the admin panel if they have a certain rank; if they don't have that rank they WILL NEVER be able to visit the admin panel. I'd like to hide the html files and other files somehow.

Routing - .htaccess

RewriteEngine on

RewriteRule ^/browser/admin.html$ index.php?page=admin [L,NC,QSA]

RewriteCond %{DOCUMENT_ROOT} !-f
RewriteRule ^(\w+)$ index.php?page=$1 [L,NC,QSA]
RewriteRule ^(\w+)+\/$ index.php?page=$1 [L,NC,QSA]

Routing - index.php

function route(){
    global $db;
    global $user;

    $page = $_GET['page'];

    if(!isset($page)) {
        header('Location: /home');
    }

    if($page === 'home'){
        loadWebpage('index.html', array());
    }else if($page === 'admin'){
        if($user['rank'] !== 'admin'){ /* This works but people can still access the files since they are loaded on the frontend with myexample.com/browser/admin.html */
            echo 'Access denied.';
            return;
        }

        loadWebpage('admin.html', array())
    }
}

route();

I'm sorry if I haven't explained it well, but I hope you understand what I mean; I find it difficult to explain the things I want. I appreciate the help.

1 个答案:

答案 0 :(得分:-1)

我相信有很多方法可以解决您要达到的目标,但是我只介绍一种“访问保护”特定文件的方法。

在您的目录admin.php中创建一个文件。在这里,只需提供一些基本代码,如下所示:

<?php
$accessKey = $_POST['accessKey'];
if ($accessKey == "MyVeryAwesomeAccessKeyThatNobodyKnows") //Change this to whatever you want
{
?>
    <b>This info will only be shown if you're an admin!</b>
<?php
}
else
    echo("Invalid access key.<br>");
?>

此代码基本上检查是否发送了正确的访问密钥,并且只有在发送正确的访问密钥后,它才会加载受保护的文件。

然后,无论何时需要访问管理页面,都可以在此处放置表单或类似内容:

<form method="POST" action="admin.php">
    <input name="accessKey" type="password" />
    <input type="submit" value="Load Admin Site" />
</form>

用户必须输入管理员访问密钥才能被授予访问受保护信息页面的权限。这种方法有点骇人听闻,但可以完成工作!

相关问题
最新问题