preventing PHP scripts from being tiggered from outside websites

[cbassett03]

I've got a concern for a project I'm working on...

 

I don't want external sites to be able to run/trigger one of the PHP scripts on the site I'm doing.  Can I use the PHP_SELF variable to check where the calling file is located, and then if it's not on the web server the site is being hosted on, then it won't run?

 

What's the best way to do this?  I'm just concerned about people tapping in "externally" by having their scripts / web pages call the scripts in the site I'm writing.

[Psycho]

If you are talking about files that are only include(ed) in other files and not the ones that the user accesses via the browser the best solution, IMO, is to put those files outside/above the web root. The it is impossible for anyone to access the file directly.

[tibberous]

No.

 

An external website is going to call your script as a url, the same as a browser would (ie: http://www.whatever.com/index.php)

 

If you don't put it in the web directory, then your safe. If you want to protect your script from bots, you can try using USER_AGENT, or some tricks like ajax and header redirects, but ultimately it's impossible to make something that will work in a browser but is safe from a bot.

 

What are you trying to prevent exactly? Hack attempt, DoS, data mining?

[Christian F.]

If you can't, for some reason, put the files outside of the web root and .htaccess isn't available, then this might be the second best alternative:

In your "index.php", but this at the top before including any files:

define ('ProtectedLoad', true);

 

Then you can start the files that are to be included like this:

<?php if (!is_defined ('ProtectedLoad') || ProtectedLoad !== true) { die ('Not permitted'); }

 

You can even change it to send a proper HTTP header, either to fake a 404 response or send a 403.