"unopenable" Scripts?

[Manixat]

Hello,

 

I have this question as to how I can make my scripts so that they cannot be opened individually, only called by other scripts?

 

eg. buddy_list.php is a page that facebook uses to load your friends, but if you attempt to open facebook.com/buddy_list.php it will load the "Page was not found" page

[kicken]

You could check whether the $_SERVER['REQUEST_URI'] points the file or not.  If it does have the script exit; possibly with an error message.

 

Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files.  Example:

 

index.php:

<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

 

buddy_list.php

<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script

 

[Muddy_Funster]

It could be because the page isn't actualy there (.htaccess url rewrite?).

Or another way could be that PHP can, I belive, be given access to the servers file system, not just the webdir. This meens that you can, in theory, require/include/fopen/file/...etc anywhere that php has the rights to access, even if the http demon doesn't have those rights.

[Manixat]

Having the $_SERVER['REQUEST_URI'] checked would be the thing I'd go for, but the problem is I already have too many scripts and having to hardcode it to all of them will be lots of work, I was hoping there was a less painful way?

 

Using htaccess makes "main" pages unable to access scripts as well :/

[Pikachu2000]

Unless I've overlooked something, for scripts that are not to be directly accessed this should work.

 

if( basename(__FILE__) === basename($_SERVER['SCRIPT_NAME']) ) {
die('Direct access to this file is not allowed.');
}

[PFMaBiSmAd]

Using htaccess makes "main" pages unable to access scripts as well

 

Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.

[Manixat]

Unless I've overlooked something, for scripts that are not to be directly accessed this should work.

 

if( basename(__FILE__) === basename($_SERVER['SCRIPT_NAME']) ) {
die('Direct access to this file is not allowed.');
}

 

basename(__FILE__)

 

this causes an internal server error O.o

 

Not if you are including them using a file system path, which is the normal way. Using a URL to include files takes from 10 to 100 times longer to execute, only includes the content that the file outputs, and means that you won't be able to prevent http requests to them because the http request your main page is making to them must work, therefor a http request from a browser must work as well.

 

I'm not quite sure I understand what you mean, I use relative paths ?

 

 

Another common and relatively easy thing to do is have your main files define a constant which you then check for in your other files. Example:

 

index.php:

<?php
define('PROPER_REQUEST', true);
include('buddy_list.php');

 

buddy_list.php

<?php
if (!defined('PROPER_REQUEST')) die("Invalid Request.");

//... rest of script

 

Another thing I thought about is that this will not work out well with ajax

Edited November 22, 2012 by Manixat

[jcbones]

For ajax, you would send a token that is preset by the server, and checked on page request.

[Pikachu2000]

 

 

basename(__FILE__)

 

this causes an internal server error O.o

 

That's odd, it works fine for me. What shows up in your error logs?