Protecting Included Files

[jdrawmer]

Hi All,

 

I'm trying to secure my web app which is currently in development, and came across this issue.

 

I have a header.php and footer.php page which are included to every page, with the content in the middle. The problem is, if you visit header.php then it displays the header, with some blank text.

 

What is the best way to protect this - i.e., if visited directly, it re-directs to index.php etc.

 

My initial thought is to set a $happylink on each page and in the header and footer, checking basically doing the following

 

if (isset($happylink) && !empty($happylink))
{
     blah blah;
}
else
{
     Header("Location: index.php");
}

 

Would that be the best way? Is there something easier?

[trq]

Files that aren't designed to be accessed directly should be stored outside of your servers document root and there location should be added to your include path. failing the ability to do so (shity shared hosting) you can define a constant within the file calling the include, then check for the existence of that constant within the include itself. eg;

 

<?php

define('IS_WITHIN_APP', true);

include 'foo.php';

// more code

 

foo.php

<?php

if (!defined('IS_WITHIN_APP')) {
  die('Bugger Off!');
}

[jdrawmer]

Thanks, I may have to go down that approach - the include file isn't in the document root, but is still accessible directly (www.formasual.net/game/header.php), game being a sub-dir - i'm guessing it's some ghay shared hosting permissions.

 

Cheers!

[trq]

If you can access the file via the web, it is somewhere within the document root, sub directory or not.

 

You need to place them above (outside of) the document root.

[jdrawmer]

Ah right - that is something I won't be able to do until I get a dedicated server then really because it is indeed shared hosting. Your approach seems good though.

 

Thanks