Preventing direct access to PHP pages

[jas511]

Hi, I was wondering if there was a way to prevent direct access to my main index.php file. The index.php file is really just a front controller that includes the other content pages as necessary and those content files are all protected. I've used mod rewrite to redirect http://www.mysite.com/main to index.php but that doesn't stop users from directly accessing index.php. I've tried techniques such as rewriting away from the page if the request URI is not internal or if the referrer is not internal, but I'm pretty sure both of these can be spoofed pretty easily (I know for sure referrer can). Is there any way to basically place the files in a web inaccessible directory that can be accessed by the server but not by outside users (like a WEB-INF directory for Java apps)?

 

Thanks,

Jeff

[Stephen]

You could chmod:

773

it.

 

Not sure if that's what you want though.

[BlueSkyIS]

rename index.php to something else and redirect http://www.mysite.com/main to the new file name.

[jas511]

I'm really just trying to prevent people from figuring out that I'm using PHP - this will help with transitioning to a new technology in the future and it reveals less information from hackers.

[DarkWater]

"Hackers" will be able to figure out that your site uses PHP anyway probably, once they see the session cookie named PHPSESSID.  Honestly, I wouldn't worry about that at all.  You have bigger things to think about if you're serious about security.

[jas511]

Fair point DarkWater. From a web application perspective, I come from a Java background which is all about portability and security, so there are a lot of measures already built in. Just curious more as a learning activity to see if there is a way to prevent this.

 

For example, if I go to google's home page, is there any way to determine what language they are using or to directly access their pages?

[DarkWater]

Google uses the cutting edge of pigeon technologies.  Those pigeons are carefully trained to search for web pages and play ping pong.

http://www.google.com/technology/pigeonrank.html

[Guest Xanza]

Sessions is a good way to do this...

 

<?php

if($_SESSION['NULL'] == '0'){
    echo "View of Index disabled....";
} else {
    echo "Content...";
}

?>

 

Pretty simple... Since NULL will always be zero, "View of Index disabled...." will always be displayed over your content.

[jas511]

I appreciate the reply but I'm not sure how this solves the issue. If the user types http://www.mysite.com/index or whatever, the user is redirected to index.php by mod rewrite. In this case the session variable is still null, so no access.

[Guest Xanza]

He said direct access... So either way I answered his question with a very reasonable explanation.

 

Besides, he could always develop a session system for pages that he does and does not want to be viewed directly... That's not big deal either.

[DarkWater]

Xanza, that solution doesn't even make sense.  Now, here's what you could do:

 

In a .htaccess file, put this set of lines:

<Files index.php>
    Order allow,deny  
    Deny from all  
</Files>

 

For multiple files, use FilesMatch and a regex.

[jas511]

He is me! Anyway, all I'm saying is that by direct access I mean I don't want the user to type the page directly but I do want to allow it to be accessed directly (by a redirect via mod rewrite). I'm just trying to prevent the user from finding out that it has a PHP page extension (no need to expose what the technology is). I've found that I can use the htaccess file in that particular directory to make the file an html file and have the server treat it as though it is php. I can do that just for that home page so even if the user does guess index.htm, that's okay with me.

[DarkWater]

Did you try my .htaccess lines?

[jas511]

Yes, but I get an access denied error when the user is redirected to index.php from www.mysite.com/index (I also get an access denied error when they access it directly which is what I wanted, but I wanted it to work if passed along by mod rewrite).

[trq]

You could try checking on of either $_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME'] or $_SERVER['PHP_SELF'] to see if they are index.php. Chances are though they will display as index.php even if thats not what is displaying in your url.

 

The best solution (though I don't really see the point regardless) is to simply use some obscure name for your controller instead of index.php.

[jas511]

Is the $_SERVER["REQUEST_URI"] a "safe" variable (i.e. can it be spoofed like HTTP_REFERRER)?

[Guest Xanza]

Xanza, that solution doesn't even make sense.

 

Only if your an idiot.

[jas511]

Thanks for the blunt response. Can you point me to some sources on how that can be spoofed?

[benphelps]

I the pages dynamic content isn't updated very often you could run the PHP and cache the results into a HTML page.  Then server the site from the HTML.

If the pages dynamic content is updated often, you could have a cron job update the cache of it.  This would only work if the site didn't require logging in or cookies/sessions, strictly a show the content only method.

[jas511]

Thanks Ben. I think what I've decided is that I'm going to have the server treat this one HTML page as php so a user will still see index.html but it will be php under the hood. Thanks.