criostage Posted October 18, 2011 Share Posted October 18, 2011 I been wondering how to protect all the files that contain classes, functions and forms in php to prevent direct access to something that the user shouldnt be able to without the proper check's (typing http://server/inc/login.php insteand of http://server/), and i came to this small idea of checking if an object is set or not but i m wondering if this is really the best idea here's what i have (the case bellow will protect an login form to be accessed directly): <?php if(!isset($mysqlobj)) die(); if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ){ $login = authentication::login( $_POST['username'], $_POST['password'] ); if( $login == true ){ header( 'location:?go=home' ); }else{ $_SESSION['message'] = 'loginfailed'; header( 'location:?go=login' ); } }else{ if( !empty($_SESSION['logged'] ) && $_SESSION['logged'] == true ){ header( 'location:?go=home' ); }else{ ?> <div id="loginform"> <form action="?go=login" method="post"> <table align="center"> <tr> <td><font size="2">Username</font></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><font size="2">Password</font></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="center"><input type="submit" value="Login" /></td> </tr> </table> </form> </div> <?php } } ?> Just looking for an "best practice" i tried google for it but i couldnt get to an straight awnser any enlightment is appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/249330-protecting-classinclude-files/ Share on other sites More sharing options...
Far Cry Posted October 18, 2011 Share Posted October 18, 2011 What I do is I place all those include files inside an includes folder outside of public_html. This is only really neccesary if you are on a shared webhost (which most are). Quote Link to comment https://forums.phpfreaks.com/topic/249330-protecting-classinclude-files/#findComment-1280255 Share on other sites More sharing options...
ManiacDan Posted October 18, 2011 Share Posted October 18, 2011 You can place them outside the web root and you can include a check at the beginning of each file that dies if the URL points to that file directly. Note, however, that if someone navigates directly to your class file nothing will happen. The class will be parsed and they'll see a white screen. -Dan Quote Link to comment https://forums.phpfreaks.com/topic/249330-protecting-classinclude-files/#findComment-1280257 Share on other sites More sharing options...
criostage Posted October 18, 2011 Author Share Posted October 18, 2011 Well usually i dont like to use symlinks in apache due but its an diferent point of view. Thanks guys =) Quote Link to comment https://forums.phpfreaks.com/topic/249330-protecting-classinclude-files/#findComment-1280354 Share on other sites More sharing options...
ManiacDan Posted October 19, 2011 Share Posted October 19, 2011 Well usually i dont like to use symlinks in apache due but its an diferent point of view. Thanks guys =) Did anyone say symlinks? Quote Link to comment https://forums.phpfreaks.com/topic/249330-protecting-classinclude-files/#findComment-1280509 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.