jas511 Posted August 27, 2008 Share Posted August 27, 2008 Hi, I was wondering if there was a way to prevent direct access to my main index.php file. The index.php file is really just a front controller that includes the other content pages as necessary and those content files are all protected. I've used mod rewrite to redirect http://www.mysite.com/main to index.php but that doesn't stop users from directly accessing index.php. I've tried techniques such as rewriting away from the page if the request URI is not internal or if the referrer is not internal, but I'm pretty sure both of these can be spoofed pretty easily (I know for sure referrer can). Is there any way to basically place the files in a web inaccessible directory that can be accessed by the server but not by outside users (like a WEB-INF directory for Java apps)? Thanks, Jeff Quote Link to comment Share on other sites More sharing options...
Stephen Posted August 27, 2008 Share Posted August 27, 2008 You could chmod: 773 it. Not sure if that's what you want though. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted August 27, 2008 Share Posted August 27, 2008 rename index.php to something else and redirect http://www.mysite.com/main to the new file name. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 27, 2008 Author Share Posted August 27, 2008 I'm really just trying to prevent people from figuring out that I'm using PHP - this will help with transitioning to a new technology in the future and it reveals less information from hackers. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 27, 2008 Share Posted August 27, 2008 "Hackers" will be able to figure out that your site uses PHP anyway probably, once they see the session cookie named PHPSESSID. Honestly, I wouldn't worry about that at all. You have bigger things to think about if you're serious about security. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 27, 2008 Author Share Posted August 27, 2008 Fair point DarkWater. From a web application perspective, I come from a Java background which is all about portability and security, so there are a lot of measures already built in. Just curious more as a learning activity to see if there is a way to prevent this. For example, if I go to google's home page, is there any way to determine what language they are using or to directly access their pages? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 27, 2008 Share Posted August 27, 2008 Google uses the cutting edge of pigeon technologies. Those pigeons are carefully trained to search for web pages and play ping pong. http://www.google.com/technology/pigeonrank.html Quote Link to comment Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 Sessions is a good way to do this... <?php if($_SESSION['NULL'] == '0'){ echo "View of Index disabled...."; } else { echo "Content..."; } ?> Pretty simple... Since NULL will always be zero, "View of Index disabled...." will always be displayed over your content. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 I appreciate the reply but I'm not sure how this solves the issue. If the user types http://www.mysite.com/index or whatever, the user is redirected to index.php by mod rewrite. In this case the session variable is still null, so no access. Quote Link to comment Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 He said direct access... So either way I answered his question with a very reasonable explanation. Besides, he could always develop a session system for pages that he does and does not want to be viewed directly... That's not big deal either. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 Xanza, that solution doesn't even make sense. Now, here's what you could do: In a .htaccess file, put this set of lines: <Files index.php> Order allow,deny Deny from all </Files> For multiple files, use FilesMatch and a regex. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 He is me! Anyway, all I'm saying is that by direct access I mean I don't want the user to type the page directly but I do want to allow it to be accessed directly (by a redirect via mod rewrite). I'm just trying to prevent the user from finding out that it has a PHP page extension (no need to expose what the technology is). I've found that I can use the htaccess file in that particular directory to make the file an html file and have the server treat it as though it is php. I can do that just for that home page so even if the user does guess index.htm, that's okay with me. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 Did you try my .htaccess lines? Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Yes, but I get an access denied error when the user is redirected to index.php from www.mysite.com/index (I also get an access denied error when they access it directly which is what I wanted, but I wanted it to work if passed along by mod rewrite). Quote Link to comment Share on other sites More sharing options...
trq Posted August 28, 2008 Share Posted August 28, 2008 You could try checking on of either $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if they are index.php. Chances are though they will display as index.php even if thats not what is displaying in your url. The best solution (though I don't really see the point regardless) is to simply use some obscure name for your controller instead of index.php. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Is the $_SERVER["REQUEST_URI"] a "safe" variable (i.e. can it be spoofed like HTTP_REFERRER)? Quote Link to comment Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 Xanza, that solution doesn't even make sense. Only if your an idiot. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Thanks for the blunt response. Can you point me to some sources on how that can be spoofed? Quote Link to comment Share on other sites More sharing options...
benphelps Posted August 28, 2008 Share Posted August 28, 2008 I the pages dynamic content isn't updated very often you could run the PHP and cache the results into a HTML page. Then server the site from the HTML. If the pages dynamic content is updated often, you could have a cron job update the cache of it. This would only work if the site didn't require logging in or cookies/sessions, strictly a show the content only method. Quote Link to comment Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Thanks Ben. I think what I've decided is that I'm going to have the server treat this one HTML page as php so a user will still see index.html but it will be php under the hood. Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.