I have a PHP script of about 10 .php files under the same directory. i.e.
www.domain.com/script_directory/
I wanted to run that script from another director and tried the following:
www.domain.com/some_directory/index.php
where index.php contains
<?php
include "../script_directory/index.php";
?>
Of course the above doesn't work.
Is there any way to set the working path of the script in PHP, similar to "HTML base Tag"?
Some files of the script are "called" via ajax and the others with direct links.
You said:
I want user to always stay at www.domain.com/some_directory
To do it, you can put a HTTP redirect in the index.php at the root, something like this:
<?php
header("location:/some_directory");
If using Apache, you can do it using .htaccess like this:
Redirect / http://www.example.com/some_directory
But all depends on the rules/behaviour that you want. Using include in PHP only insert a script into it, allowing to use the code/functions/classes that are into it.
Related
All of the php files in the application are directly accessible through URL.
Adding this code at the start of my php files works for few of them which are being requested with POST method:
if ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {
die(header( 'location:/webapp/postings' ));
}
But, I do have some php files which are being requested through GET method and the above code doesn't work for them, because of which I came with the following code:
if(!isset($_SERVER['HTTP_REFERER'])){
die(header('location:/webapp/postings'));
}
I know that the HTTP_REFERER coudn't be trusted. Any other options?
can someone please tell me a generic way of preventing direct URL access without altering the code across all the php files.
Note: My Application is running on IIS 7.5 Web server.
Don't do this:
public_html/
includes/
dont_access_me_bro.php
...
index.php
...
Do this instead:
includes/
dont_access_me_bro.php
...
public_html/
index.php
...
Explanation
Keeping your source files outside of the document root guarantees that users will be unable to access them directly by changing the URI on their HTTP request. This will not protect against LFI exploits.
To find out where your document root is, this handy PHP script can help:
var_dump($_SERVER['DOCUMENT_ROOT']);
If this prints out string (25) "C:\htdocs\www\example.com", you don't want to store your files in C:\htdocs\www\example.com or any subdirectory of C:\htdocs\www\example.com.
If you place user-provided files inside your document root, you're creating the risk that someone will access them directly from their browser, and if Apache/nginx/etc. screws something up, their uploaded file may be executed as code.
So you would not want your files to be inside C:\htdocs\www\example.com\uploaded, you would want something like C:\uploads\example.com\.
This is covered in-depth in this article on secure file uploads in PHP.
So I work on a website and to make things easier I made specific files for every task (like: for the top menu I made menu.php) and then require(); them in the main files. All is good but I tried accessing in the browser /include/menu.php and it shows up. I don't want people to access them whenever they want, I just want to require them and to be available only through the main file.
The easiest way to prevent other php files from being accessed, is to define a variable in the main script:
define('IN_APPLICATION', true);
In all of your other files, simply add:
if ( !defined('IN_APPLICATION') )
die('You cannot access this file directly.');
An alternative way is to use an .htaccess file. If your server is running apache, this is all you will need. Simply put this file in your /includes directory.
I want to use cron job to make a script that sends scheduled emails to my clients. For more security I will put this PHP file outside public_html folder. I want this file to be a part of my original script So I need to include (mysql_connect.php) in this file so I don't need to connect to database in this file. Is this technically possible?. and How can I call this (mysql_connect.php) file that includes the connection and all my functions that run my original script. Thanks
It should not really make any difference if you're calling it from within public_html or not. You can include the file in the same way. For example say you're setup like this:
/home/username/myscript.php and /home/username/public_html/mysql_connect.php
Your myscript.php file might look something like this:
<?
include_once('/home/username/public_html/mysql_connect.php');
// Your script
?>
There are better ways to include files than this, e.g. using $_SERVER['DOCUMENT_ROOT'] but there are plenty of other posts on that.
I was wondering how you could make it so that "website.com" has an index.php file that simply opens "website.com/home" but without changing the URL. I originally had it so that it used a PHP include of "website.com/home/index.php" inside "website.com/index.php" but when i had to use includes inside of "website.com/home/index.php" it stopped working as it was running the includes from "website.com/index.php" instead of "website.com/home/index.php" is there any way to simply send the file "website.com/home/index.php" and have it run from "website.com/home/index.php" without changing the URL? I would want to avoid having to use the absolute location to simplify it and so i can copy and paste the code into other directories without having to edit it accordingly.
Use chdir() to navigate to the correct folder, then include("index.php");
I am working on a php project and I am having problems with including files.
I have a php script which is located at myapp/reports/index.php. When a form is submitted it performs an ajax post to another phpscript located at myapp/reports/phpHander/submit.php.
Submit.php then has to include a php script which is used to send an email. This is done to ensure that same code can be used over and over again without it needing to be typed for each time it is need. This php script is located at ../../administrator/classes/send.php.
Up to this point is working fine however the send.php script includes another file to get app config settings which is located in administrator/appConfig.php. The problem is this appConfig.php isn't being found even if I put in the full web address of http://localhost/myapp/administrator/appConfig.php.
What am I doing wrong. I am using the php include function to do this and its working for everything else but it seems to have a problem then including another script from a different location.
Thanks for any help you can provide.
http://localhost/myapp/administrator/appConfig.php is only URL path.
You need absolute filepath like C:/wamp/www/myapp/administrator/appConfig.php (Windows) or /var/www/myapp/administrator/appConfig.php (Linux)
Anyways best way is make a file "dirs.php" in your root application directory with constant:
define('ROOT_DIR', dirname(__FILE__));
where dirname(__FILE__) will be absolute path to your app directory.
With this knowledge you can include files in this way:
myapp/reports/index.php:
require_once('../../dirs.php');
include(ROOT_DIR . '/administrator/appConfig.php');
myapp/reports/phpHander/submit.php.:
require_once('../../../dirs.php');
include(ROOT_DIR . '/administrator/appConfig.php');
When you include another PHP script, all the paths are relative to the calling script. So, it sounds as though your script is at myapp/reports/phpHander/submit.php and includes ../../administrator/classes/send.php, which then includes another script in that same directory. In this case, you need to use the path "../../administrator/appConfig.php". Alternatively, you could use absolute paths relative to the filesystem's root.