Jump to content

"unopenable" Scripts?


Manixat

Recommended Posts

Hello,

 

I have this question as to how I can make my scripts so that they cannot be opened individually, only called by other scripts?

 

eg. buddy_list.php is a page that facebook uses to load your friends, but if you attempt to open facebook.com/buddy_list.php it will load the "Page was not found" page

Link to comment
Share on other sites

You could check whether the $_SERVER['REQUEST_URI'] points the file or not.  If it does have the script exit; possibly with an error message.

 

Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files.  Example:

 

index.php:

<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

 

buddy_list.php

<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script

 

Link to comment
Share on other sites

It could be because the page isn't actualy there (.htaccess url rewrite?).

Or another way could be that PHP can, I belive, be given access to the servers file system, not just the webdir. This meens that you can, in theory, require/include/fopen/file/...etc anywhere that php has the rights to access, even if the http demon doesn't have those rights.

Link to comment
Share on other sites

Having the $_SERVER['REQUEST_URI'] checked would be the thing I'd go for, but the problem is I already have too many scripts and having to hardcode it to all of them will be lots of work, I was hoping there was a less painful way?

 

Using htaccess makes "main" pages unable to access scripts as well :/

Link to comment
Share on other sites

Using htaccess makes "main" pages unable to access scripts as well

 

Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.

Link to comment
Share on other sites

Unless I've overlooked something, for scripts that are not to be directly accessed this should work.

 

if( basename(__FILE__) === basename($_SERVER['SCRIPT_NAME']) ) {
die('Direct access to this file is not allowed.');
}

 

basename(__FILE__)

 

this causes an internal server error O.o

 

Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.

 

I'm not quite sure I understand what you mean, I use relative paths ?

 

 

Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files. Example:

 

index.php:

<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

 

buddy_list.php

<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script

 

Another thing I thought about is that this will not work out well with ajax

Edited by Manixat
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.