This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Preventing direct access to php files
I want to block direct access to certain files so that they can only be used by PHP via include or require.
What I'm doing on the first line of each file is this:
<?php
if(stristr(__FILE__,substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],"/")+1))){
header("HTTP/1.0 404 Not Found");
exit;
}
?>
Is that a good way of doing this, or is there a better way?
Thank you.
One better option would be to move the files out of the website public area into a private directory, then use set_include_path (or equivalent server config) to allow include and requre to find them.
Related
This question already has answers here:
PHP: Check if a file is loaded directly instead of including?
(15 answers)
Closed 4 years ago.
I have a script in PHP that's included on pageX.php through include_once. Let's call it script A.php.
One could call this script by navigating directly to it from the browser: www.whatever.com/scripts/A.php.
What I want however is for script A.php to only be accessible through inclusion (on pageX.php) as it contains info that I want displayed on pageX.php only.
Besides using $_SESSION, are there different approaches?
You can define a constant within your index.php, that would not exist had the included script been called directly. In your included script you check if this constant is set and stop execution if it isn't.
Your original script (index.php):
define('PROPERLY_STARTED', true);
include_once 'a.php';
Your a.php:
if (!defined('PROPERLY_STARTED')) return;
Because my comment was deleted for some reason: While this works, it's error prone as you need to add that code to every single file. The established way of dealing with this issue is to only expose the index.php in your web root and have the files that should remain inaccessible in a directory outside of your web root so they aren't even reachable via HTTP (see e.g. the accepted answer on the question this is marked as duplicate of)
Simply don't let A.php output anything and use a
function/method based approach
a PHP script won't do anything if you have just functions defined in it.
Limit the access to your pageX.php only (via chmod / htaccess)
This question already has answers here:
Short way to link to http from https (and vice versa) using relative links
(6 answers)
Closed 5 years ago.
I want to use the full URL for the location of my css, js, and image files in my header.php file. So that when the header.php file is called from another folder directory, it doesn't break the link.
However, I want the site to be accessible by http and https, set by the user in their profile settings in the web application.
I started to write some code below of the solution but I'm not sure if this is the correct way of handling this.
config.php
<?php
// use https
$use_https = true;
?>
header.php
<?php
if ($use_https == true) {
$proto = "https://";
} else {
$proto = "http://";
}
?>
Link
The easiest way is to just do:
Link
Or since it's on your own server, just:
Link
Make sure to include the initial slash, so that it is relative to the root of your site, and not to the current page (this will prevent the link from breaking).
That being said, if your site works with https, you are probably better off just always using https, since you don't really have performance concerns anymore.
This question already has answers here:
Preventing direct access to php files
(3 answers)
Closed 9 years ago.
Okay,
SO little by little I'm tackling the challenger of learning PHP. I'm understanding it more and more each time I play around with it.
The thing that is making me a little hesitant is security.
How would I be able to deny direct access to a file and only allow a specific file be able to access/send GET requests/ execute queries?
I'm setting up a config file and a index.php file and basically I will have the index.php connect using the config file.
<?php
// MySQL Credentials
define('DATA_HOST', 'localhost');
define('DATA_NAME', 'mysql');
define('DATA_USER', 'mysql');
define('DATA_PASS', 'mypass');
try {
$connection = new PDO('mysql:host='. DATA_HOST .';dbname='.DATA_NAME, DATA_USER, DATA_PASS);
$connection->SetAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
echo '<h2>PDO unable to connect to database!</h2>';
}
?>
That's my current config file, using PDO as I've heard it's secure.
Sorry everyone, I did more digging around and I found the solution.
if( !defined( 'SOMETHING', 1 ) )
{
echo( '<h1>You may not access this file directly.</h1>' );
exit;
}
^ on the config file and then.
define( 'SOMETHING', 1 );
^ on the file that wants to include the config file.
Just a note, PDO is only secure if you use it properly - make sure to use prepared statements to pass in ALL data. Use it incorrectly and it's still insecure.
If you want to prevent users from directly loading a file, you have a few options.
The best is to simply have them entirely outside of your document root. Then there is no worry. This makes deployments difficult though.
The next best is to use htaccess (or the equivalent on your chosen http server) to block public access to entire subfolders containing your code. In my projects I put all my code under a single folder named "private", and all the public files outside of that, so I can just block the private folder entirely.
A second option is to use a define to tell the rest of your code the user entered through the index file. At the top of index.php add define( 'INDEX_PASSED', true ); or something, and then in your other files at the top you can simply do if( !defined( 'INDEX_PASSED' ) ) exit;. This is dangerous though as you will have to remember to do it in EVERY file. The previous method is much better.
There is nothing to be hesitated of.
Direct access to this file will do no harm at all.
While with all this useless "protection" you are just bloating your code with no reason.
This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 8 years ago.
Suppose, I am building website. I want the user to be able to access the index.php file only. I also have other files like www.mydomain.com/aboutus.php files and user can access them if he types this in his address bar. I want the user to be able to access www.mydomain.com only.
How are such security features built?
If I understand correctly that you want to allow them to only be able to access your index/root document (www.mydomain.com/index.php etc.) and not be able to type in: www.mydomain.com/aboutus.php it is fairly simple using the HTTP referrer to make sure that the page they came from was the right one:
Important note (edit): The $_SERVER type variables are susceptible to forgery by the client from something like cURL or even telnet and can be the basis for CSRF type attacks, so this is by no means a secure implementation vs. something like session tokenization.
aboutus.php at the very top:
<?php
// Put the url they came from
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://mydomain.com/index.php') {
die("Must come here from index");
// uncomment below to redirect them automatically
// header('location: index.php');
}
// Otherwise they came from index so show the page.
echo "Displaying about page:";
echo $content;
?>
This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 9 years ago.
I am building a web app and I use am using a lot of include files to build most of my pages.
For example:
The page profile.php includes about.php, timeline.php, photos.php
Now, I want to send a user to my 404 page if they try to go to one of my include files directly. How can I do this?
Going to localhost/timeline.php should redirect the user to the 404.
My thought was to write an IF Statement in those include files that checks to see if the file is being opened directly, is that even possible?
Fast and dirty:
Define a constant inside of profile.php, and check if it exists inside of the included files:
if (!defined("SOME_CONSTANT")) {
//Redirect or send a 404 header
}
Slower but better
Get your files which have no meaning as a standalone file in a web context out of the web root (usually a www or htdocs folder).
You can use a simple if statement
if(!defined("SECURE")) {
header("HTTP/1.0 404 Not Found", true, 404);
include("404_Not_Found.html"); //include the 404 page
exit;
}
Making sure that on your included pages, you define the secure constant.
Define a constant in your front controller and check if it is set in the other files.
In your front controller at the top:
define("IN_APP");
Then in your other pages before any processing:
if(defined("IN_APP")) { die(header('HTTP/1.0 404 Not Found', true, 404)); }
A better option however is to put your other files in a subdirectory and deny access to it with a .htaccess file containing, the following code.
Order deny,allow
deny from all
This will still allow php to include the files, but will block anyone from accessing them from the web.