jas511 Posted August 27, 2008 Share Posted August 27, 2008 Hi, I was wondering if there was a way to prevent direct access to my main index.php file. The index.php file is really just a front controller that includes the other content pages as necessary and those content files are all protected. I've used mod rewrite to redirect http://www.mysite.com/main to index.php but that doesn't stop users from directly accessing index.php. I've tried techniques such as rewriting away from the page if the request URI is not internal or if the referrer is not internal, but I'm pretty sure both of these can be spoofed pretty easily (I know for sure referrer can). Is there any way to basically place the files in a web inaccessible directory that can be accessed by the server but not by outside users (like a WEB-INF directory for Java apps)? Thanks, Jeff Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/ Share on other sites More sharing options...
Stephen Posted August 27, 2008 Share Posted August 27, 2008 You could chmod: 773 it. Not sure if that's what you want though. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627341 Share on other sites More sharing options...
BlueSkyIS Posted August 27, 2008 Share Posted August 27, 2008 rename index.php to something else and redirect http://www.mysite.com/main to the new file name. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627343 Share on other sites More sharing options...
jas511 Posted August 27, 2008 Author Share Posted August 27, 2008 I'm really just trying to prevent people from figuring out that I'm using PHP - this will help with transitioning to a new technology in the future and it reveals less information from hackers. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627377 Share on other sites More sharing options...
DarkWater Posted August 27, 2008 Share Posted August 27, 2008 "Hackers" will be able to figure out that your site uses PHP anyway probably, once they see the session cookie named PHPSESSID. Honestly, I wouldn't worry about that at all. You have bigger things to think about if you're serious about security. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627378 Share on other sites More sharing options...
jas511 Posted August 27, 2008 Author Share Posted August 27, 2008 Fair point DarkWater. From a web application perspective, I come from a Java background which is all about portability and security, so there are a lot of measures already built in. Just curious more as a learning activity to see if there is a way to prevent this. For example, if I go to google's home page, is there any way to determine what language they are using or to directly access their pages? Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627380 Share on other sites More sharing options...
DarkWater Posted August 27, 2008 Share Posted August 27, 2008 Google uses the cutting edge of pigeon technologies. Those pigeons are carefully trained to search for web pages and play ping pong. http://www.google.com/technology/pigeonrank.html Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627382 Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 Sessions is a good way to do this... <?php if($_SESSION['NULL'] == '0'){ echo "View of Index disabled...."; } else { echo "Content..."; } ?> Pretty simple... Since NULL will always be zero, "View of Index disabled...." will always be displayed over your content. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627400 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 I appreciate the reply but I'm not sure how this solves the issue. If the user types http://www.mysite.com/index or whatever, the user is redirected to index.php by mod rewrite. In this case the session variable is still null, so no access. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627403 Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 He said direct access... So either way I answered his question with a very reasonable explanation. Besides, he could always develop a session system for pages that he does and does not want to be viewed directly... That's not big deal either. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627408 Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 Xanza, that solution doesn't even make sense. Now, here's what you could do: In a .htaccess file, put this set of lines: <Files index.php> Order allow,deny Deny from all </Files> For multiple files, use FilesMatch and a regex. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627411 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 He is me! Anyway, all I'm saying is that by direct access I mean I don't want the user to type the page directly but I do want to allow it to be accessed directly (by a redirect via mod rewrite). I'm just trying to prevent the user from finding out that it has a PHP page extension (no need to expose what the technology is). I've found that I can use the htaccess file in that particular directory to make the file an html file and have the server treat it as though it is php. I can do that just for that home page so even if the user does guess index.htm, that's okay with me. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627412 Share on other sites More sharing options...
DarkWater Posted August 28, 2008 Share Posted August 28, 2008 Did you try my .htaccess lines? Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627413 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Yes, but I get an access denied error when the user is redirected to index.php from www.mysite.com/index (I also get an access denied error when they access it directly which is what I wanted, but I wanted it to work if passed along by mod rewrite). Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627414 Share on other sites More sharing options...
trq Posted August 28, 2008 Share Posted August 28, 2008 You could try checking on of either $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if they are index.php. Chances are though they will display as index.php even if thats not what is displaying in your url. The best solution (though I don't really see the point regardless) is to simply use some obscure name for your controller instead of index.php. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627429 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Is the $_SERVER["REQUEST_URI"] a "safe" variable (i.e. can it be spoofed like HTTP_REFERRER)? Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627433 Share on other sites More sharing options...
Guest Xanza Posted August 28, 2008 Share Posted August 28, 2008 Xanza, that solution doesn't even make sense. Only if your an idiot. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627442 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Thanks for the blunt response. Can you point me to some sources on how that can be spoofed? Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627452 Share on other sites More sharing options...
benphelps Posted August 28, 2008 Share Posted August 28, 2008 I the pages dynamic content isn't updated very often you could run the PHP and cache the results into a HTML page. Then server the site from the HTML. If the pages dynamic content is updated often, you could have a cron job update the cache of it. This would only work if the site didn't require logging in or cookies/sessions, strictly a show the content only method. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627461 Share on other sites More sharing options...
jas511 Posted August 28, 2008 Author Share Posted August 28, 2008 Thanks Ben. I think what I've decided is that I'm going to have the server treat this one HTML page as php so a user will still see index.html but it will be php under the hood. Thanks. Link to comment https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/#findComment-627463 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.