how to prevent direct access to php script?

[markthien]

Hi,

i store all my php scripts under /bin folder like process-signup.php. if user directly go to http://www.menggaris.com/bin/process-signup.php, then the script will eventually executed and data will be saved into database. user should go to signup.php first.

how can I prevent this situation from happening?

I am wondering like is there anyway to detect if user directly access process-signup.php instead of accessing from signup.php

 

Thanks & regards,

Mark

[valtido]

try

 

if (stristr(htmlentities($_SERVER['PHP_SELF']), "process-signup.php")) {

    header("Location: hackAttempt.php");

    exit();

}

 

 

im not sure it will be 100% safe but phpbb script uses that

[valtido]

oh forgot to mention that it should be at the very top of the page lol otherwise ppl can still see wotever its above it.

[phpdragon]

setup a session variable on signup.php and do a header redirect if the variable is not set in your process_signup.php script

[valtido]

thats not a good idea. because i could open the setup.php on one window and then process-setup.php on another.

[markthien]

someone said that preferably the php script should put outside the document root.

 

How should I put the process-signup.php outside the document root folder? for example, consider the following code :

<form id="signup_form" action="bin/process-signup.php" method="post">

        <input type="text" name="name" id="name"/>

        <input type="text" name="email" id="email"/>

        <input type="submit" value="submit" name="submit" id="submit"/>

</form>

 

and my document root path is /home/webadministrator/www/root/

and all my php script is under /home/webadministrator/www/root/bin

and now if I put process-signup.php under /home/websiteadmin/www/bin

how should I put the path in the html form?

and I don't think I can put like this?

 

<form id="signup_form" action="/home/websiteadmin/www/bin/process-signup.php" method="post">

 

regards,

Mark

[laffin]

My Suggestion is avoid sessions/cookies.

 

the PHP_SELF var is a good idea

 

as well as using a constant in yer main pages

so in yer included files, a simple check for the constant can break with an error

 

main.php

<?php
define('PAGE','main');
include('includes.php');
?>
Success

 

includes.php

<?php
if(!defined('PAGE'))
{
   die('Illegal Access');
}

// Rest of include
?>

 

Very simple technique Nice thing about it, is that u dont need to do a page lookup against PHP_SELF.

 

Good Luck

[RichardRotterdam]

An alternative is to specify which directories or files you don't want access to in a htaccess file