leafer Posted September 30, 2009 Share Posted September 30, 2009 I've attempted to block access to my php scripts directly but end up blocking it entirely. Here is my setup: Jquery tabs call php file which includes another php outside the main webroot. Here is my index.htm: <ul> <li ><a href="1.php"<span>Tab1</span></a></li> <li ><a href="2.php"<span>Tab2</span></a></li> <li ><a href="3.php"<span>Tab3</span></a></li> My 1.php file: <?php define('SOMETHING', '1'); require("/some/thing/phpfiles/whatever.php"); ?> Whatever.php: if (!defined('SOMETHING')) exit; Where am I going wrong here? I've tried htaccess files but that never worked either because the initial call is being made from a hyperlink. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted September 30, 2009 Share Posted September 30, 2009 <a href="1.php"< change that to <a href="1.php">< everything else looks satisfactory Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 <a href="1.php"< change that to <a href="1.php">< everything else looks satisfactory I must have deleted that portion when posting it. It's the theory behind it thats not making sense vs the actual code. If I run 1.php directly it displays the output which is not what I want. I want to deny anyone direct access to the php file and only allow my jquery tabs to load it. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 1, 2009 Share Posted October 1, 2009 Exactly at what point does it not work? For all we know the path in the require() statement is incorrect and you are getting a fatal runtime error. What is it doing? What are the symptoms? Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 Exactly at what point does it not work? For all we know the path in the require() statement is incorrect and you are getting a fatal runtime error. What is it doing? What are the symptoms? It does work, I'm trying to prevent directly running the php file. I dont want users finding the php file thats being called and directly accessing it. Quote Link to comment Share on other sites More sharing options...
mvfreelance Posted October 1, 2009 Share Posted October 1, 2009 are you getting any PHP error message? are you running PHP in safe_mode ? Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 are you getting any PHP error message? are you running PHP in safe_mode ? None of the above. Here's the setup <HTML FILE> calls <1.php> calls <mainfile.php> How to I prevent people from accessing the 1.php directly. I think the problem here is the initial call is coming from a hyperlink. If not I have no clue what it could be. I've tried putting this into 1.php: if (strtolower(__FILE__) == strtolower($_SERVER['SCRIPT_FILENAME'])) { echo 'Do not call this file directly'; exit(); } and still nothing. If I'm too restrictive on permissions then the file cant be accessed anyhow. I also tried changing the index.html into a php file which spits out the HTML and moving the: define('SOMETHING', '1'); into the main file so its' being passed during the call. Still nothing. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script. You could do something similar: <?php if ($_SERVER['PHP_SELF'] != '/index.php') { header("Location: 404.php"); } ?> Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script. You could do something similar: <?php if ($_SERVER['PHP_SELF'] != '/index.php') { header("Location: 404.php"); } ?> What happens with that statement is the redirect occurs if accessed directly but when clicking the tab to initiate the ajax call to the 1.php, nothing. File doesn't even come up. Quote Link to comment Share on other sites More sharing options...
trq Posted October 1, 2009 Share Posted October 1, 2009 There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 I see what you're saying. I have my index.php "include" all my required php files, but I don't want people to be able to open the individual files by themselves, so I just check with a script. You could do something similar: <?php if ($_SERVER['PHP_SELF'] != '/index.php') { header("Location: 404.php"); } ?> What happens with that statement is the redirect occurs if accessed directly but when clicking the tab to initiate the ajax call to the 1.php, nothing. File doesn't even come up. I didn't literally mean for you to copy/paste that and hope for it to work lol, I'm not exactly sure what you're trying to do and what your filenames are but I figured it could get you on the right track. In your case, change /index.php to whatever your html file is... so /index.html or whatever it is. then put that code at the top of 1.php. so.... you'd put this code at the top of your 1.php page, only you'd change "/index.html" to whatever your html filename is <?php if ($_SERVER['PHP_SELF'] != '/index.html') { header("Location: 404.php"); } ?> so... if the html page calls for 1.php, it loads fine, but if they try to directly access 1.php, that script will redirect them to 404.php or whatever you wish Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny. As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result. Is there no way around this? Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny. As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result. Is there no way around this? I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you: index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php. the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example. so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine. I'm pretty sure this would work for your situation. Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php. Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny. As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result. Is there no way around this? I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you: index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php. the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example. so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine. I'm pretty sure this would work for your situation. Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php. The actual names of the files are: index.php /php/1.php which contains (require("/journal/round-one.php") ../../journal/Round_one.php I've tried all of the following: <?php if ($_SERVER['PHP_SELF'] != '1.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> <?php if ($_SERVER['PHP_SELF'] != 'php/1.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> <?php if ($_SERVER['PHP_SELF'] != 'index.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> Nothing on all three. Access to the file is prevented on the index.php but when called via hyperlink its a no go. Access denied. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 There isn't really any good way of doing this because the ajax call is simply a http request, which is exactly what your trying to deny. As I typed the statement I immediately wanted to eliminate ajax as the problem. I then made the exact link somewhere else on the page without any JS interaction and same result. Is there no way around this? I gave you a solution... Here... read how I use the script, and you might see it's the same scenario as you: index.php on my website is the backbone... it loads all my content pages with includes depending on a value i set in my session variable. so... if I click a link for "home", it reloads index.php and then index.php include()'s home.php. the problem is, I have index.php load a header for each page, so I don't want people directly accessing my php files, home.php for example. so... i put that script at the top of home.php and then if someone try's to directly access it, the script sees that index.php isn't he parent document so it redirects them to 404. if index.php accesses it on the other hand, the script sees that the parent document IS index.php so it doesn't redirect and everything works just fine. I'm pretty sure this would work for your situation. Heck, tell me the name of the html file and I'll even write the exact script you can copy/paste into the top of 1.php. The actual names of the files are: index.php /php/1.php which contains (require("/journal/round-one.php") ../../journal/Round_one.php I've tried all of the following: <?php if ($_SERVER['PHP_SELF'] != '1.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> <?php if ($_SERVER['PHP_SELF'] != 'php/1.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> <?php if ($_SERVER['PHP_SELF'] != 'index.php') { header("Location: 404.php"); } require("/journal/round-one.php") ?> Nothing on all three. Access to the file is prevented on the index.php but when called via hyperlink its a no go. Access denied. so let me get this straight... index.php uses jquery to open 1.php then 1.php uses include() or require() to open Round_one.php is this right? if so... your code should be: <?php if ( $_SERVER['PHP_SELF'] != '/index.php' ) { header("Location: 404.php"); } ?> BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at: www.yoursite.com/Directory1/Directory2/index.php then you'd want to change the script to: <?php if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' ) { header("Location: 404.php"); } ?> if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 so let me get this straight... index.php uses jquery to open 1.php then 1.php uses include() or require() to open Round_one.php is this right? Correct. if so... your code should be: <?php if ( $_SERVER['PHP_SELF'] != '/index.php' ) { header("Location: 404.php"); } ?> BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at: www.yoursite.com/Directory1/Directory2/index.php then you'd want to change the script to: <?php if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' ) { header("Location: 404.php"); } ?> if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php Tried this: die($_SERVER['PHP_SELF']); and it echos this: /php/1.php so i made the edit: <?php if ( $_SERVER['PHP_SELF'] != '/php/1.php' ) { header("Location: 404.php"); } ?> and put that at the top of 1.php. Still accessible. Checked directory and file permissions just in case: Directory: 755 File: 644 Which is normal. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 so let me get this straight... index.php uses jquery to open 1.php then 1.php uses include() or require() to open Round_one.php is this right? Correct. if so... your code should be: <?php if ( $_SERVER['PHP_SELF'] != '/index.php' ) { header("Location: 404.php"); } ?> BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at: www.yoursite.com/Directory1/Directory2/index.php then you'd want to change the script to: <?php if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' ) { header("Location: 404.php"); } ?> if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php Tried this: die($_SERVER['PHP_SELF']); and it echos this: /php/1.php so i made the edit: <?php if ( $_SERVER['PHP_SELF'] != '/php/1.php' ) { header("Location: 404.php"); } ?> and put that at the top of 1.php. I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? like if you're viewing 1.php, does your address bar show index.php or does it show 1.php? if it "includes" or "loads" 1.php but index.php remains in the address bar, then you need to change the script to '/php/index.php'. that way, only index.php can load 1.php. Quote Link to comment Share on other sites More sharing options...
trq Posted October 1, 2009 Share Posted October 1, 2009 I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file. There isn't really anything you can do. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file. There isn't really anything you can do. you couldn't use $_SERVER['HTTP_REFERER'] then and check to see that it came from index.php? EDIT: i guess if it's just a plain http request even that won't work huh, that sucks Quote Link to comment Share on other sites More sharing options...
RussellReal Posted October 1, 2009 Share Posted October 1, 2009 referer can be easily spoofed Quote Link to comment Share on other sites More sharing options...
trq Posted October 1, 2009 Share Posted October 1, 2009 Thats probably worth a try. Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 so let me get this straight... index.php uses jquery to open 1.php then 1.php uses include() or require() to open Round_one.php is this right? Correct. if so... your code should be: <?php if ( $_SERVER['PHP_SELF'] != '/index.php' ) { header("Location: 404.php"); } ?> BUT.... I'm pretty sure you have to include subdirectories... so if these files are running at: www.yoursite.com/Directory1/Directory2/index.php then you'd want to change the script to: <?php if ( $_SERVER['PHP_SELF'] != '/Directory1/Directory2/index.php' ) { header("Location: 404.php"); } ?> if you need to, just put a die($_SERVER['PHP_SELF']); at the top of 1.php then access 1.php via your jquery and see what it echo's out. whatever it echo's out is what you want to put into the script as the php_self you're checkin against. so basically, if the parent document isn't index.php, you redirect to 404, else it requires round_one.php Tried this: die($_SERVER['PHP_SELF']); and it echos this: /php/1.php so i made the edit: <?php if ( $_SERVER['PHP_SELF'] != '/php/1.php' ) { header("Location: 404.php"); } ?> and put that at the top of 1.php. I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? like if you're viewing 1.php, does your address bar show index.php or does it show 1.php? if it "includes" or "loads" 1.php but index.php remains in the address bar, then you need to change the script to '/php/index.php'. that way, only index.php can load 1.php. I removed the jquery call entirely and just put a regular <a href="/php/1.php">Link</a> into the page just to eliminate it as a possibility. Same. I click the link to the 1.php which contains: if ( $_SERVER['PHP_SELF'] != '/php/index.php') { header("Location: 404.php"); } 404 redirect. Here is my directory structure: / | |-index.php | | -----/php/1.php which makes a require call to a file outside of the webroot a few directories back. The call works fine without all of this. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 yea sorry I assume jquery was INCLUDING 1.php, but if it's just linking to it then what I originally suggested won't work. you can try if ( $_SERVER['HTTP_REFERER'] != '/index.php' ) { header("Location: 404.php"); } but this is just a wild guess lol edit: (basically, the original script i said you should try would only work if index.php included 1.php, but instead, you're linking to it, so that original script won't work... but checking referer might work, it's worth a shot lol) Quote Link to comment Share on other sites More sharing options...
leafer Posted October 1, 2009 Author Share Posted October 1, 2009 I don't know JS very well, so does jquery INCLUDE 1.php or does it link to it? As I said several replies ago it simply makes a http request, just as someone would if they browsed to the file. There isn't really anything you can do. you couldn't use $_SERVER['HTTP_REFERER'] then and check to see that it came from index.php? EDIT: i guess if it's just a plain http request even that won't work huh, that sucks Thought of the referrer trick but I might as well just leave it open if thats the case. Extremely easy to fake. I looked throughout the entire list of php globals, env variables to see if there is anything but nothing. As thorpe mentioned its an http call either way. I'm surprised there isn't some simple solution or .htaccess entry I could use to limit access only when coming from that specific file. Quote Link to comment Share on other sites More sharing options...
5kyy8lu3 Posted October 1, 2009 Share Posted October 1, 2009 you could set a session variable in index.php and check to see that it's set in 1.php (then immediately unset it) else you redirect to 404 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.