Jump to content


Photo

"unopenable" Scripts?


  • Please log in to reply
8 replies to this topic

#1 Manixat

Manixat

    Advanced Member

  • Members
  • PipPipPip
  • 166 posts

Posted 22 November 2012 - 11:13 AM

Hello,

I have this question as to how I can make my scripts so that they cannot be opened individually, only called by other scripts?

eg. buddy_list.php is a page that facebook uses to load your friends, but if you attempt to open facebook.com/buddy_list.php it will load the "Page was not found" page

#2 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,676 posts
  • LocationBonita, FL

Posted 22 November 2012 - 11:19 AM

You could check whether the $_SERVER['REQUEST_URI'] points the file or not.  If it does have the script exit; possibly with an error message.

Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files.  Example:

index.php:
<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

buddy_list.php
<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script

Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#3 Muddy_Funster

Muddy_Funster

    Advanced Member

  • Members
  • PipPipPip
  • 2,993 posts

Posted 22 November 2012 - 11:22 AM

It could be because the page isn't actualy there (.htaccess url rewrite?).
Or another way could be that PHP can, I belive, be given access to the servers file system, not just the webdir. This meens that you can, in theory, require/include/fopen/file/...etc anywhere that php has the rights to access, even if the http demon doesn't have those rights.
A simple password hash :

function makePass($word=''){
  $dbSalt = '$2a$07$'.substr(hash('whirlpool',$word),0,22);
  $dbPass = crypt($word, $dbSalt);
 return substr($dbPass,12);
}



My SQL/PHP Blog

#4 Manixat

Manixat

    Advanced Member

  • Members
  • PipPipPip
  • 166 posts

Posted 22 November 2012 - 11:59 AM

Having the $_SERVER['REQUEST_URI'] checked would be the thing I'd go for, but the problem is I already have too many scripts and having to hardcode it to all of them will be lots of work, I was hoping there was a less painful way?

Using htaccess makes "main" pages unable to access scripts as well :/


#5 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 22 November 2012 - 12:04 PM

Unless I've overlooked something, for scripts that are not to be directly accessed this should work.

if( basename(__FILE__) === basename($_SERVER['SCRIPT_NAME']) ) {
	die('Direct access to this file is not allowed.');
}

"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "

#6 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 22 November 2012 - 12:09 PM

Using htaccess makes "main" pages unable to access scripts as well


Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.
Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#7 Manixat

Manixat

    Advanced Member

  • Members
  • PipPipPip
  • 166 posts

Posted 22 November 2012 - 12:49 PM

Unless I've overlooked something, for scripts that are not to be directly accessed this should work.

if( basename(__FILE__) === basename($_SERVER['SCRIPT_NAME']) ) {
	die('Direct access to this file is not allowed.');
}


basename(__FILE__)

this causes an internal server error O.o

Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.


I'm not quite sure I understand what you mean, I use relative paths ?


Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files. Example:

index.php:

<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

buddy_list.php
<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script


Another thing I thought about is that this will not work out well with ajax

Edited by Manixat, 22 November 2012 - 01:03 PM.


#8 jcbones

jcbones

    Advanced Member

  • Gurus
  • 2,439 posts
  • LocationNorth Carolina

Posted 22 November 2012 - 08:03 PM

For ajax, you would send a token that is preset by the server, and checked on page request.

#9 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 22 November 2012 - 11:13 PM

basename(__FILE__)

this causes an internal server error O.o


That's odd, it works fine for me. What shows up in your error logs?
"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com