avoinding direct access

[etrader]

I have a php form for uploading file as the action sends to upload.php. How I can avoid any kind of direct access to upload.php? I want to kill the php process at the first line without performing the remaining code (it is very critical for me as I have a counter), except calls coming from form.php.

[markjoe]

define() a constant in the first script.

check for it in upload.php, if notdefined, kill it.

[wildteen88]

If you have named your submit button in your form then check for the $_POST['submit_button_name'] variable in exists in upload.php, eg

if(isset($_POST['submit']))
{
     // add the code for uploading the images here
}
else
{
    // display error or redirect back to form.php here
}

[markjoe]

Sorry, I didn't play close enough attention that you are going through an html form.

However, post variables and headers can be spoofed, so while either will work, they are not 100% reliable.

If you want to be 100% sure, you would need to use a server side cache such as APC.

Or stepping outside of php, I think the best solution is defining a rule in .htaccess.

[waynewex]

Define a constant on the main page and check to see if that constant has been defined before running the upload script.

[Stooney]

Is the upload from being drawn with php via a templating system or anything?  If so you could include a randomly generated string with the login form, which is stored in a database, then checked for in upload.php.  That would make it so that any submission would have to come from you upload form.