Jump to content

preventing PHP scripts from being tiggered from outside websites


cbassett03

Recommended Posts

I've got a concern for a project I'm working on...

 

I don't want external sites to be able to run/trigger one of the PHP scripts on the site I'm doing.  Can I use the PHP_SELF variable to check where the calling file is located, and then if it's not on the web server the site is being hosted on, then it won't run?

 

What's the best way to do this?  I'm just concerned about people tapping in "externally" by having their scripts / web pages call the scripts in the site I'm writing.

Link to comment
Share on other sites

If you are talking about files that are only include(ed) in other files and not the ones that the user accesses via the browser the best solution, IMO, is to put those files outside/above the web root. The it is impossible for anyone to access the file directly.

Link to comment
Share on other sites

No.

 

An external website is going to call your script as a url, the same as a browser would (ie: http://www.whatever.com/index.php)

 

If you don't put it in the web directory, then your safe. If you want to protect your script from bots, you can try using USER_AGENT, or some tricks like ajax and header redirects, but ultimately it's impossible to make something that will work in a browser but is safe from a bot.

 

What are you trying to prevent exactly? Hack attempt, DoS, data mining?

Link to comment
Share on other sites

If you can't, for some reason, put the files outside of the web root and .htaccess isn't available, then this might be the second best alternative:

In your "index.php", but this at the top before including any files:

define ('ProtectedLoad', true);

 

Then you can start the files that are to be included like this:

<?php if (!is_defined ('ProtectedLoad') || ProtectedLoad !== true) { die ('Not permitted'); }

 

You can even change it to send a proper HTTP header, either to fake a 404 response or send a 403.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.