The Eagle Posted September 8, 2010 Share Posted September 8, 2010 I've got a question, I thought I'd be able to do this fairly easily. I don't want to do an .htaccess solution also. I tried this, define('ACCESS', TRUE); // then on other page if(!defined('ACCESS'){die('Direct access not allowed.');} Need some assistance, appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/ Share on other sites More sharing options...
AbraCadaver Posted September 8, 2010 Share Posted September 8, 2010 Whatever file has: define('ACCESS', TRUE); Then includes the file with the IF check? Also, you have a parse error here: if(!defined('ACCESS') Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108809 Share on other sites More sharing options...
The Eagle Posted September 8, 2010 Author Share Posted September 8, 2010 Thanks for your response, I've actually found some other solution, a simple, non-complicated one perfect for me. Included on the file you want to include the file on (sounds odd...) <?php $pw = "monkey"; include("updates.php"); ?> Then on my updates.php page, if ($pw != "monkey") { die("Access denied."); } echo "Monkeys are cool..."; ?> Simple small fix I'm looking for. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108813 Share on other sites More sharing options...
fortnox007 Posted September 8, 2010 Share Posted September 8, 2010 I know joomla uses this: in index.php they have: define( '_JEXEC', 1 ); all other files have // no direct access defined( '_JEXEC' ) or die( 'Restricted access' ); Hope this helps Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108817 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 The problem with that approach is that if there is ever a PHP parsing error, the raw code *could* potentially be exposed. That exposed code could then be used to find weaknesses in the site and infiltrate it. This has happened in the past with some well-known sites. Instead, if you have files that should never be accessed directly, there is a very simple, fool-proof technique: don't include them in the public directory! In other words, do not point the root of the web address to the root of your folder structure. For example, you could create a directory structure such as this: filesystem root | --classes | --common | --htdocs (public folder) | --inlcudes | --Templates The index.php file for the home page would go into the htdocs folder and you would make that the root for the website. There is no way for users to access the other folders above. But, the PHP code could access those files via include() or other means. However, you have to include files such as images, javascript, etc, in the htdocs folder or subfolders because those are "requested" through the browser not the PHP code. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108819 Share on other sites More sharing options...
The Eagle Posted September 8, 2010 Author Share Posted September 8, 2010 Instead, if you have files that should never be accessed directly, there is a very simple, fool-proof technique: don't include them in the public directory! In other words, do not point the root of the web address to the root of your folder structure. For example, you could create a directory structure such as this: filesystem root | --classes | --common | --htdocs (public folder) | --inlcudes | --Templates The index.php file for the home page would go into the htdocs folder and you would make that the root for the website. There is no way for users to access the other folders above. But, the PHP code could access those files via include() or other means. Yes, I was thinking of doing this. I thought an easy solution would be something bizarre like, <?php include("123news.php"); ?> I'm unsure how many people would actually precisely guess that name. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108820 Share on other sites More sharing options...
fortnox007 Posted September 8, 2010 Share Posted September 8, 2010 May I ask how to include the file in the folder above the root is that with ../ ? and thx btw for this nice tip Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108821 Share on other sites More sharing options...
AbraCadaver Posted September 8, 2010 Share Posted September 8, 2010 Thanks for your response, I've actually found some other solution, a simple, non-complicated one perfect for me. Included on the file you want to include the file on (sounds odd...) <?php $pw = "monkey"; include("updates.php"); ?> Then on my updates.php page, if ($pw != "monkey") { die("Access denied."); } echo "Monkeys are cool..."; ?> Simple small fix I'm looking for. Thanks. That's the same as using the define: <?php define('ACCESS', true); include("updates.php"); ?> Then on your updates.php page: defined('ACCESS') or die('Access denied'); echo "Monkeys are cool..."; The constant ACCESS will be available in functions or classes whereas the $pw variable will not. I would stick with the define. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108822 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 I have a project where ALL of the files with any logic are secured in non-public folders on the server one level up from the public folder. My homepage (index.php) only has a couple of lines of code to point it to the real files with the PHP Logic: <?php error_reporting(E_ALL | E_STRICT); $_PATHS['root'] = dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR; include ($_PATHS['root'].'main.php'); exit(); ?> Of course I do have other pages that are publicly available. But, all they do is set parameters for the modules to load then call the index.php page. Here is the page to access the management functions of the site. It would be accessed at the url: http://www.mysite.com/manage/index.php <?php $module = "manage"; include("../index.php"); ?> As you can see, all it does is set a value for the $module and then calls the index.php page at the "web" root. That page, then calls the logic files that are secured in non-public directories. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108825 Share on other sites More sharing options...
AbraCadaver Posted September 8, 2010 Share Posted September 8, 2010 May I ask how to include the file in the folder above the root is that with ../ ? and thanks btw for this nice tip Yes, or use the full path /var/www/classes, or you can add those paths to your include directory. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108827 Share on other sites More sharing options...
fortnox007 Posted September 8, 2010 Share Posted September 8, 2010 awesome!! Like we are having dinner with the gods Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108829 Share on other sites More sharing options...
The Eagle Posted September 8, 2010 Author Share Posted September 8, 2010 @AbraCadaver, Yes I know that's basically the same, but some reason define was not working for me at all, I tried a lot of things too. Great solutions on this page. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108831 Share on other sites More sharing options...
fortnox007 Posted September 8, 2010 Share Posted September 8, 2010 @mjdamato Does your Setup also works nice for website with search friendly URL's / mod_rewrite. I have never looked in the logic of that, but I always thought it rewrites the current URl and thus depends on the directory structure. But I might as well be completely incorrect Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108835 Share on other sites More sharing options...
Psycho Posted September 8, 2010 Share Posted September 8, 2010 @mjdamato Does your Setup also works nice for website with search friendly URL's / mod_rewrite. I have never looked in the logic of that, but I always thought it rewrites the current URl and thus depends on the directory structure. But I might as well be completely incorrect Yes, of course. As I stated above, the "pages" are accessible to the user with direct URLs. It's just that those pages (files) don't include any real logic - they simply call secured files that have all the logic. There is no way a browser or search engine can know that the page was created with files in the public space or not. They only react to the final content that is delivered. Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108851 Share on other sites More sharing options...
fortnox007 Posted September 8, 2010 Share Posted September 8, 2010 Thanks!! Quote Link to comment https://forums.phpfreaks.com/topic/212889-deny-direct-access-to-a-php-file/#findComment-1108889 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.