Jump to content

Preventing direct access to PHP pages


jas511

Recommended Posts

Hi, I was wondering if there was a way to prevent direct access to my main index.php file. The index.php file is really just a front controller that includes the other content pages as necessary and those content files are all protected. I've used mod rewrite to redirect http://www.mysite.com/main to index.php but that doesn't stop users from directly accessing index.php. I've tried techniques such as rewriting away from the page if the request URI is not internal or if the referrer is not internal, but I'm pretty sure both of these can be spoofed pretty easily (I know for sure referrer can). Is there any way to basically place the files in a web inaccessible directory that can be accessed by the server but not by outside users (like a WEB-INF directory for Java apps)?

 

Thanks,

Jeff

Link to comment
https://forums.phpfreaks.com/topic/121617-preventing-direct-access-to-php-pages/
Share on other sites

"Hackers" will be able to figure out that your site uses PHP anyway probably, once they see the session cookie named PHPSESSID.  Honestly, I wouldn't worry about that at all.  You have bigger things to think about if you're serious about security.

Fair point DarkWater. From a web application perspective, I come from a Java background which is all about portability and security, so there are a lot of measures already built in. Just curious more as a learning activity to see if there is a way to prevent this.

 

For example, if I go to google's home page, is there any way to determine what language they are using or to directly access their pages?

Sessions is a good way to do this...

 

<?php

if($_SESSION['NULL'] == '0'){
    echo "View of Index disabled....";
} else {
    echo "Content...";
}

?>

 

Pretty simple... Since NULL will always be zero, "View of Index disabled...." will always be displayed over your content.

Xanza, that solution doesn't even make sense.  Now, here's what you could do:

 

In a .htaccess file, put this set of lines:

<Files index.php>
    Order allow,deny  
    Deny from all  
</Files>

 

For multiple files, use FilesMatch and a regex.

He is me! Anyway, all I'm saying is that by direct access I mean I don't want the user to type the page directly but I do want to allow it to be accessed directly (by a redirect via mod rewrite). I'm just trying to prevent the user from finding out that it has a PHP page extension (no need to expose what the technology is). I've found that I can use the htaccess file in that particular directory to make the file an html file and have the server treat it as though it is php. I can do that just for that home page so even if the user does guess index.htm, that's okay with me.

You could try checking on of either $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if they are index.php. Chances are though they will display as index.php even if thats not what is displaying in your url.

 

The best solution (though I don't really see the point regardless) is to simply use some obscure name for your controller instead of index.php.

I the pages dynamic content isn't updated very often you could run the PHP and cache the results into a HTML page.  Then server the site from the HTML.

If the pages dynamic content is updated often, you could have a cron job update the cache of it.  This would only work if the site didn't require logging in or cookies/sessions, strictly a show the content only method.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.