Jump to content

Deny direct access to a PHP file

The Eagle

By The Eagle
in PHP Coding Help

 Share

Recommended Posts

The Eagle Newbie

The Eagle

Posted
Posted

I've got a question, I thought I'd be able to do this fairly easily. I don't want to do an .htaccess solution also.

 

I tried this,

 

define('ACCESS', TRUE);


// then on other page 
if(!defined('ACCESS'){die('Direct access not allowed.');}

 

Need some assistance, appreciated.

Link to comment
Share on other sites
The Eagle Newbie

The Eagle

Posted
  • Author
Posted

Thanks for your response, I've actually found some other solution, a simple, non-complicated one perfect for me.

 

 

Included on the file you want to include the file on (sounds odd...)

<?php
$pw = "monkey";
include("updates.php");
?>

 

Then on my updates.php page,

if ($pw != "monkey") { 
         die("Access denied."); 
} 
echo "Monkeys are cool...";
?>

 

Simple small fix I'm looking for. Thanks.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

The problem with that approach is that if there is ever a PHP parsing error, the raw code *could* potentially be exposed. That exposed code could then be used to find weaknesses in the site and infiltrate it. This has happened in the past with some well-known sites.

 

Instead, if you have files that should never be accessed directly, there is a very simple, fool-proof technique: don't include them in the public directory! In other words, do not point the root of the web address to the root of your folder structure.

 

For example, you could create a directory structure such as this:

filesystem root
|
--classes
| 
--common
| 
--htdocs (public folder)
| 
--inlcudes
| 
--Templates

 

The index.php file for the home page would go into the htdocs folder and you would make that the root for the website. There is no way for users to access the other folders above. But, the PHP code could access those files via include() or other means.

 

However, you have to include files such as images, javascript, etc, in the htdocs folder or subfolders because those are "requested" through the browser not the PHP code.

Link to comment
Share on other sites
The Eagle Newbie

The Eagle

Posted
  • Author
Posted

Instead, if you have files that should never be accessed directly, there is a very simple, fool-proof technique: don't include them in the public directory! In other words, do not point the root of the web address to the root of your folder structure.

 

For example, you could create a directory structure such as this:

filesystem root
|
--classes
| 
--common
| 
--htdocs (public folder)
| 
--inlcudes
| 
--Templates

 

The index.php file for the home page would go into the htdocs folder and you would make that the root for the website. There is no way for users to access the other folders above. But, the PHP code could access those files via include() or other means.

 

Yes, I was thinking of doing this. I thought an easy solution would be something bizarre like,

<?php include("123news.php"); ?>

 

I'm unsure how many people would actually precisely guess that name.

Link to comment
Share on other sites
AbraCadaver Newbie

AbraCadaver

Posted
Posted

Thanks for your response, I've actually found some other solution, a simple, non-complicated one perfect for me.

 

 

Included on the file you want to include the file on (sounds odd...)

<?php
$pw = "monkey";
include("updates.php");
?>

 

Then on my updates.php page,

if ($pw != "monkey") { 
         die("Access denied."); 
} 
echo "Monkeys are cool...";
?>

 

Simple small fix I'm looking for. Thanks.

 

That's the same as using the define:

 

<?php
define('ACCESS', true);
include("updates.php");
?>

 

Then on your updates.php page:

 

defined('ACCESS') or die('Access denied');
echo "Monkeys are cool...";

 

The constant ACCESS will be available in functions or classes whereas the $pw variable will not.  I would stick with the define.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

I have a project where ALL of the files with any logic are secured in non-public folders on the server one level up from the public folder. My homepage (index.php) only has a couple of lines of code to point it to the real files with the PHP Logic:

 

<?php
error_reporting(E_ALL | E_STRICT);

$_PATHS['root']      = dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR;

include ($_PATHS['root'].'main.php');
exit();

?>

 

Of course I do have other pages that are publicly available. But, all they do is set parameters for the modules to load then call the index.php page. Here is the page to access the management functions of the site. It would be accessed at the url: http://www.mysite.com/manage/index.php

<?php

$module = "manage";
include("../index.php");

?>

 

As you can see, all it does is set a value for the $module and then calls the index.php page at the "web" root. That page, then calls the logic files that are secured in non-public directories.

Link to comment
Share on other sites
fortnox007 Regular Member

fortnox007

Posted
Posted

@mjdamato

 

Does your Setup also works nice for website with search friendly URL's  / mod_rewrite. I have never looked in the logic of that, but I always thought it rewrites the current URl and thus depends on the directory structure. But I might as well be completely incorrect :)

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

@mjdamato

 

Does your Setup also works nice for website with search friendly URL's  / mod_rewrite. I have never looked in the logic of that, but I always thought it rewrites the current URl and thus depends on the directory structure. But I might as well be completely incorrect :)

 

Yes, of course. As I stated above, the "pages" are accessible to the user with direct URLs. It's just that those pages (files) don't include any real logic - they simply call secured files that have all the logic. There is no way a browser or search engine can know that the page was created with files in the public space or not. They only react to the final content that is delivered.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.