I have a javascript which uses "encodeURIComponent" to load a file that is generated via php. I want for the php that is being loaded to ONLY be loaded by the page with the javascript in it. I'm hoping to do something to the php script which says "if the requesting document's url = my page with javascript, go ahead. Otherwise, redirect." How do I do this?
You can't. Some browsers may send a referrer, but definitely not all, and even if, it cannot be trusted, as it's easy modifiable by the user.
Thanks for the reply. Is there a way to determine whether or not the php script is being viewed "naked" via the address bar? So instead of saying "If the page requesting the php script isn't correct, redirect" ... say "If the php script is the only thing in the browser window, redirect" ... or perhaps something better that would work with frameset pages as well?
I'm afraid there is no safe solution. Because if Javascript can open the file, then a normal user as well. Anything like that can be bypassed.
Hmmm ... javascript isn't opening the page. It's telling an embedded flash document what page to open. I'm trying to devise a way where only a specific page can have access to a specific script. If the viewer looks at the page via address bar, redirect. Is there a 'USER_AGENT' string for flash that would be shockwave v9+ compliant?
Perhaps you can send a secret GET variable in the flash, which would tell the php script that it has been called within the flash? And if it's not set throw an error? And I don't know much about flash, but I think it would be the same user agent than the real one.