markthien Posted December 11, 2008 Share Posted December 11, 2008 Hi guys, I got a db-connect.php with the following content: <?php $con = mysql_connect("sdalk.com","root","root"); if (!$con){ print('<div style="padding:10px;background-color:#EE9A00;font-family:arial;font-size:22px;font-weight:bold;color:#292421">We are having some system issue here. Please come back later !</div>'); exit; } mysql_select_db("sdalk", $con); ?> so if says index.php want to access database, it will include it like : <?php require_once("db-connect.php"); .... mysql_close($con); ?> I am afraid that if there is a visitor who knows that my db-connect.php exist, then he will like go directly to access this file where he will enter in the browser like: http://www.sdalk.com/db-connect.php and there will be a lot of openning connection without closing the connection. is there any safe way to like detect if db-connect.php is access directly thru browser, then jus ignore it or redirect visitor to other page? Appreciate if someone can help me on this matter. Thanks & Regards, Mark Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/ Share on other sites More sharing options...
trq Posted December 11, 2008 Share Posted December 11, 2008 if (basename($_SERVER['PHP_SELF']) == __FILE__) { exit(); } Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-712432 Share on other sites More sharing options...
Adam Posted December 11, 2008 Share Posted December 11, 2008 Save the file outside of your "htdocs" (or whatever you have on your server) directory.. that way it's inaccessible through the browser.. A Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-712436 Share on other sites More sharing options...
psyickphuk Posted December 11, 2008 Share Posted December 11, 2008 Or try the following: In the db-connect (or any included) file start it with: <?php defined('_VALID_INCLUDE') or die('Direct access not allowed.'); and in the index (or any 'container' file) put the following (before the included file of course): define('_VALID_INCLUDE', TRUE); Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-712516 Share on other sites More sharing options...
markthien Posted December 12, 2008 Author Share Posted December 12, 2008 ok guys. thanks a lot for your advice. I really appreciate your help here. So should I change my db-connect.php to be like the following: <?php defined('_VALID_INCLUDE') or die('Direct access not allowed.'); if (basename($_SERVER['PHP_SELF']) == __FILE__) { exit(); } $con = mysql_connect("sdalk.com","root","root"); if (!$con){ print('<div style="padding:10px;background-color:#EE9A00;font-family:arial;font-size:22px;font-weight:bold;color:#292421">We are having some system issue here. Please come back later !</div>'); exit; } mysql_select_db("sdalk", $con); ?> Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713299 Share on other sites More sharing options...
markthien Posted December 12, 2008 Author Share Posted December 12, 2008 Hello psyickphuk, is the below correct : <?php defined('_VALID_INCLUDE') or die('Oops .... direct access is not allowed.'); require_once("db-connect.php"); require_once("global-setting.php"); require_once('recaptchalib.php'); require_once("error-code.php"); .... ?> where I just need to declare once for the defined('_VALID_INCLUDE') or die('Oops .... direct access is not allowed.'); ?? regards, Mark Or try the following: In the db-connect (or any included) file start it with: <?php defined('_VALID_INCLUDE') or die('Direct access not allowed.'); and in the index (or any 'container' file) put the following (before the included file of course): define('_VALID_INCLUDE', TRUE); Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713336 Share on other sites More sharing options...
markthien Posted December 12, 2008 Author Share Posted December 12, 2008 Hi guys, Can we say that the best way is to put db-connect.php outside htdocs so that it's impossible for visitor to access directly? Mark Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713379 Share on other sites More sharing options...
ted_chou12 Posted December 12, 2008 Share Posted December 12, 2008 if u really want to put it in public_html, try adding a htaccess file that includes the following lines: Order Deny,Allow Deny from all but u have to add this to a folder and have that file u wish not to be accessed directly in the same directory. Ted. Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713383 Share on other sites More sharing options...
chronister Posted December 12, 2008 Share Posted December 12, 2008 Yes, the best thing to do is just keep it outside of your web root directory. I have a db connect class that lives outside of my web root, I use the 1 file for multiple sites that I have hosted on this particular server. That is the safest way to do it. Nate Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713410 Share on other sites More sharing options...
CroNiX Posted December 12, 2008 Share Posted December 12, 2008 I usually just stick my connection definitions (host/user/pass/database) outside the web root. Not sure what benefit sticking the whole class there is, without the connection info they can't do anything if you have the rest of the server set up properly. Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713415 Share on other sites More sharing options...
chronister Posted December 12, 2008 Share Posted December 12, 2008 I usually just stick my connection definitions (host/user/pass/database) outside the web root. Not sure what benefit sticking the whole class there is, without the connection info they can't do anything if you have the rest of the server set up properly. My particular class has my connection details in it for multiple databases. I use it for several sites so I have a completely standard way of accessing databases. When I instantiate the class, I pass an argument to it which represents a particular database. e.g. $db = new cDatabase('blog'); // creates connections to the blog database $db2 = new cDatabase('shoppingCart'); // creates connections to the shopping cart database. That's why I do this. I have a shared host and I run about 5-6 sites from it. I use this one file for all the sites. Nate Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713424 Share on other sites More sharing options...
CroNiX Posted December 12, 2008 Share Posted December 12, 2008 Ah, well when I make a db class I instantiate it like the following: $db = new DBHandler(DB_HOST, DB_USER, DB_PASS, DB_NAME); so I can have a file with this outside of web root: define('DB_HOST', 'myhost.com'); define('DB_USER', 'username'); define('DB_PASS', 'password'); define('DB_NAME', 'database'); I think its much easier to maintain because you don't have to go manually changing the class (to change the host, user, pass)...just the config file. Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713454 Share on other sites More sharing options...
chronister Posted December 12, 2008 Share Posted December 12, 2008 Ahh, to each his own I guess.... When I want to add a new database connection to the file, I add one of these buggers... elseif($type == 'NAME_TO_PASS') { $hostName='HOSTNAME'; $userName='USERNAME'; $passwordName='PASSWORD'; $databaseName='DB_NAME'; } This works quite well for me. I could clean up the run of 4-6 if/elseif/elseif/else block, but... I am lazy and it works.. so I don't fix it I like this, because I don't have to mess with the db info but once in a great while. On my shared host, I can't specify anything but the password (which I usually leave alone as it is a pretty darn secure one) and I end up with things like db45678912332 <- db name, dbo45678912332 <-- db username, 456123.hostname.net <-- host. But again, preferences. Nate Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713461 Share on other sites More sharing options...
CroNiX Posted December 12, 2008 Share Posted December 12, 2008 Most of the stuff I write I sell to clients, so to help the dumb clients (most of them are anyway) I like to have just 1 file where they can change all major settings in so they don't have to go digging all over trying to find where to change stuff. It seems like your situation is different in that you use your own stuff, so you know where all of the changes need to be made. Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713468 Share on other sites More sharing options...
chronister Posted December 12, 2008 Share Posted December 12, 2008 Yes, this is true.... However when I am creating for clients, then yes I would use a config file that held that information to make it easy for them to change when the need arises. So different situations call for different methods. In my previous job, I had the same kind of deal. Running multiple sites from a VPS and did the same thing. 1 db class file outside the root accesible to all sites and called the proper db per need. In some files i actually needed to make calls to 2 different databases so this was very handy. They had a "public" and "private" area, (2 different sites and 2 different domain names) each with it's own db. In the "private" area, after you logged in, you could manage parts of the "public" area so this was nice to be able to access multiple databases from 1 file by instantiating the class twice with a different argument to "talk" to each database. Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713476 Share on other sites More sharing options...
Adam Posted December 12, 2008 Share Posted December 12, 2008 When you connect through FTP, you should be brought into the root directory. Often there are several sub-directories such as (remember there are several common names for most of these).. - logs - htdocs - private "logs" will obviously contain logs, for things such as errors. "htdocs" is the web root. Everything beyond htdocs is technically accessible through a browser. "private" is kind of miscellaneous directory - store your private files in here (such as your db-connect.php file). You could use private (or whatever similar name yours has), or you could create your own, say "php"? As I said only files within htdocs are accessible through a browser, however in your PHP scripts you can still include files from the other directories. So assuming you're in your web root directory, you could use: include '../php/db-connect.php'; Which will still work no problems, but isn't accessible to anyone but you and your scripts! A Quote Link to comment https://forums.phpfreaks.com/topic/136487-prevent-direct-access-a-php-file/#findComment-713573 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.