[SOLVED] Preventing direct access to PHP files with Jquery tabs?

leafer · September 30, 2009

I've attempted to block access to my php scripts directly but end up blocking it entirely.

Here is my setup:

Jquery tabs call php file which includes another php outside the main webroot.

Here is my index.htm:

<ul>
<li ><a href="1.php"Tab1</a></li>

<li ><a href="2.php"Tab2</a></li>

<li ><a href="3.php"Tab3</a></li>

My 1.php file:

<?php
define('SOMETHING', '1');

require("/some/thing/phpfiles/whatever.php");

?>

Whatever.php:

if (!defined('SOMETHING'))
exit;

Where am I going wrong here? I've tried htaccess files but that never worked either because the initial call is being made from a hyperlink.

RussellReal · September 30, 2009

<a href="1.php"<

change that to

<a href="1.php"><

everything else looks satisfactory

leafer · October 1, 2009

<a href="1.php"<

change that to

<a href="1.php"><

everything else looks satisfactory

I must have deleted that portion when posting it.

It's the theory behind it thats not making sense vs the actual code.

If I run 1.php directly it displays the output which is not what I want. I want to deny anyone direct access to the php file and only allow my jquery tabs to load it.

PFMaBiSmAd · October 1, 2009

Exactly at what point does it not work? For all we know the path in the require() statement is incorrect and you are getting a fatal runtime error. What is it doing? What are the symptoms?

leafer · October 1, 2009

Exactly at what point does it not work? For all we know the path in the require() statement is incorrect and you are getting a fatal runtime error. What is it doing? What are the symptoms?

It does work, I'm trying to prevent directly running the php file.

I dont want users finding the php file thats being called and directly accessing it.

mvfreelance · October 1, 2009

are you getting any PHP error message?

are you running PHP in safe_mode ?

leafer · October 1, 2009

are you getting any PHP error message?

are you running PHP in safe_mode ?

None of the above.

Here's the setup

<HTML FILE> calls <1.php> calls <mainfile.php>

How to I prevent people from accessing the 1.php directly.

I think the problem here is the initial call is coming from a hyperlink. If not I have no clue what it could be.

I've tried putting this into 1.php:

if (strtolower(__FILE__) == strtolower($_SERVER['SCRIPT_FILENAME']))
{

echo 'Do not call this file directly';

exit();

}

and still nothing. If I'm too restrictive on permissions then the file cant be accessed anyhow.

I also tried changing the index.html into a php file which spits out the HTML and moving the: define('SOMETHING', '1'); into the main file so its' being passed during the call. Still nothing.

5kyy8lu3 · October 1, 2009

I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script.

You could do something similar:

<?php
if ($_SERVER['PHP_SELF'] != '/index.php')
{
	header("Location: 404.php");
}
?>

leafer · October 1, 2009

I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script.

You could do something similar:
<?php
if ($_SERVER['PHP_SELF'] != '/index.php')
{
	header("Location: 404.php");
}
?>

What happens with that statement is the redirect occurs if accessed directly but when clicking the tab to initiate the ajax call to the 1.php, nothing. File doesn't even come up.

trq · October 1, 2009

There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny.

5kyy8lu3 · October 1, 2009

I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script.

You could do something similar:
<?php
if ($_SERVER['PHP_SELF'] != '/index.php')
{
	header("Location: 404.php");
}
?>
What happens with that statement is the redirect occurs if accessed directly but when clicking the tab to initiate the ajax call to the 1.php, nothing. File doesn't even come up.

I didn't literally mean for you to copy/paste that and hope for it to work lol, I'm not exactly sure what you're trying to do and what your filenames are but I figured it could get you on the right track.

In your case, change /index.php to whatever your html file is... so /index.html or whatever it is. then put that code at the top of 1.php.

so.... you'd put this code at the top of your 1.php page, only you'd change "/index.html" to whatever your html filename is

<?php
if ($_SERVER['PHP_SELF'] != '/index.html')
{
	header("Location: 404.php");
}
?>

so... if the html page calls for 1.php, it loads fine, but if they try to directly access 1.php, that script will redirect them to 404.php or whatever you wish

leafer · October 1, 2009

There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny.

As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result.

Is there no way around this?

5kyy8lu3 · October 1, 2009

There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny.

As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result.

Is there no way around this?

I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you:

index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php.

the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example.

so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine.

I'm pretty sure this would work for your situation.

Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php.

leafer · October 1, 2009

There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny.

As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result.

Is there no way around this?

I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you:

index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php.

the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example.

so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine.

I'm pretty sure this would work for your situation.

Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php.

The actual names of the files are:

index.php

/php/1.php which contains (require("/journal/round-one.php")

../../journal/Round_one.php

I've tried all of the following:

<?php
if ($_SERVER['PHP_SELF'] != '1.php')
   {
      header("Location: 404.php");
   }
require("/journal/round-one.php")
?>

<?php
if ($_SERVER['PHP_SELF'] != 'php/1.php')
   {
      header("Location: 404.php");
   }
require("/journal/round-one.php")
?>

<?php
if ($_SERVER['PHP_SELF'] != 'index.php')
   {
      header("Location: 404.php");
   }
require("/journal/round-one.php")
?>

Nothing on all three. Access to the file is prevented on the index.php but when called via hyperlink its a no go. Access denied.

5kyy8lu3 · October 1, 2009

There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny.

As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result.

Is there no way around this?

I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you:

index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php.

the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example.

so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine.

I'm pretty sure this would work for your situation.

Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php.

The actual names of the files are:

index.php

/php/1.php which contains (require("/journal/round-one.php")

../../journal/Round_one.php

I've tried all of the following:
<?php
if ($_SERVER['PHP_SELF'] != '1.php')
  {
      header("Location: 404.php");
  }
require("/journal/round-one.php")
?>

<?php
if ($_SERVER['PHP_SELF'] != 'php/1.php')
  {
      header("Location: 404.php");
  }
require("/journal/round-one.php")
?>

<?php
if ($_SERVER['PHP_SELF'] != 'index.php')
  {
      header("Location: 404.php");
  }
require("/journal/round-one.php")
?>
Nothing on all three. Access to the file is prevented on the index.php but when called via hyperlink its a no go. Access denied.

so let me get this straight...

index.php uses jquery to open 1.php

then 1.php uses include() or require() to open Round_one.php

is this right?

if so... your code should be:

<?php
if ( $_SERVER['PHP_SELF'] != '/index.php' )
  {
      header("Location: 404.php");
  }
?>

BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at:

www.yoursite.com/Directory1/Directory2/index.php

then you'd want to change the script to:

<?php
if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' )
  {
      header("Location: 404.php");
  }
?>

if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php

leafer · October 1, 2009

so let me get this straight...

index.php uses jquery to open 1.php

then 1.php uses include() or require() to open Round_one.php

is this right?

Correct.

if so... your code should be:
<?php
if ( $_SERVER['PHP_SELF'] != '/index.php' )
  {
      header("Location: 404.php");
  }
?>
BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at:

www.yoursite.com/Directory1/Directory2/index.php

then you'd want to change the script to:
<?php
if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' )
  {
      header("Location: 404.php");
  }
?>
if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php

Tried this:

die($_SERVER['PHP_SELF']);

and it echos this: /php/1.php

so i made the edit:

<?php

if ( $_SERVER['PHP_SELF'] != '/php/1.php' )

{

header("Location: 404.php");

}

?>

and put that at the top of 1.php.

Still accessible.

Checked directory and file permissions just in case:

Directory: 755

File: 644

Which is normal.

5kyy8lu3 · October 1, 2009

so let me get this straight...

index.php uses jquery to open 1.php

then 1.php uses include() or require() to open Round_one.php

is this right?

Correct.
if so... your code should be:
<?php
if ( $_SERVER['PHP_SELF'] != '/index.php' )
  {
      header("Location: 404.php");
  }
?>
BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at:

www.yoursite.com/Directory1/Directory2/index.php

then you'd want to change the script to:
<?php
if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' )
  {
      header("Location: 404.php");
  }
?>
if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php
Tried this:

die($_SERVER['PHP_SELF']);

and it echos this: /php/1.php

so i made the edit:

<?php

if ( $_SERVER['PHP_SELF'] != '/php/1.php' )

{

header("Location: 404.php");

}

?>

and put that at the top of 1.php.

I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? like if you're viewing 1.php, does your address bar show index.php or does it show 1.php? if it "includes" or "loads" 1.php but index.php remains in the address bar, then you need to change the script to '/php/index.php'. that way, only index.php can load 1.php.

trq · October 1, 2009

I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it?

As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file.

There isn't really anything you can do.

5kyy8lu3 · October 1, 2009

I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it?

As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file.

There isn't really anything you can do.

you couldn't use $_SERVER['HTTP_REFERER'] then and check to see that it came from index.php?

EDIT: i guess if it's just a plain http request even that won't work huh, that sucks

RussellReal · October 1, 2009

referer can be easily spoofed

trq · October 1, 2009

Thats probably worth a try.

leafer · October 1, 2009

so let me get this straight...

index.php uses jquery to open 1.php

then 1.php uses include() or require() to open Round_one.php

is this right?

Correct.
if so... your code should be:
<?php
if ( $_SERVER['PHP_SELF'] != '/index.php' )
  {
      header("Location: 404.php");
  }
?>
BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at:

www.yoursite.com/Directory1/Directory2/index.php

then you'd want to change the script to:
<?php
if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' )
  {
      header("Location: 404.php");
  }
?>
if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php
Tried this:

die($_SERVER['PHP_SELF']);

and it echos this: /php/1.php

so i made the edit:

<?php

if ( $_SERVER['PHP_SELF'] != '/php/1.php' )

{

header("Location: 404.php");

}

?>

and put that at the top of 1.php.
I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? like if you're viewing 1.php, does your address bar show index.php or does it show 1.php? if it "includes" or "loads" 1.php but index.php remains in the address bar, then you need to change the script to '/php/index.php'. that way, only index.php can load 1.php.

I removed the jquery call entirely and just put a regular <a href="/php/1.php">Link</a> into the page just to eliminate it as a possibility. Same.

I click the link to the 1.php which contains:

if ( $_SERVER['PHP_SELF'] != '/php/index.php')
{

header("Location: 404.php");

}

404 redirect. Here is my directory structure:

/

|

|-index.php

|

-----/php/1.php

which makes a require call to a file outside of the webroot a few directories back. The call works fine without all of this.

5kyy8lu3 · October 1, 2009

yea sorry I assume jquery was INCLUDING 1.php, but if it's just linking to it then what I originally suggested won't work. you can try

if ( $_SERVER['HTTP_REFERER'] != '/index.php' )

{

header("Location: 404.php");

}

but this is just a wild guess lol

edit: (basically, the original script i said you should try would only work if index.php included 1.php, but instead, you're linking to it, so that original script won't work... but checking referer might work, it's worth a shot lol)

leafer · October 1, 2009

I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it?

As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file.

There isn't really anything you can do.

you couldn't use $_SERVER['HTTP_REFERER'] then and check to see that it came from index.php?

EDIT: i guess if it's just a plain http request even that won't work huh, that sucks

Thought of the referrer trick but I might as well just leave it open if thats the case. Extremely easy to fake.

I looked throughout the entire list of php globals, env variables to see if there is anything but nothing.

As thorpe mentioned its an http call either way. I'm surprised there isn't some simple solution or .htaccess entry I could use to limit access only when coming from that specific file.

5kyy8lu3 · October 1, 2009

you could set a session variable in index.php and check to see that it's set in 1.php (then immediately unset it) else you redirect to 404

Sign In

[SOLVED] Preventing direct access to PHP files with Jquery tabs?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information