preventing direct access of php files.

[ajoo]

Hi, searching for this very common question as in subject,

I CAME ACROSS THE FOLLOWING QUESTION:-

I have a php file which I will be using as exclusively as an include. Therefore I would like to throw an error instead of executing it when it's accessed directly by typing in the URL instead of being included.

Basically I need to do a check as follows in the php file:

if ( $REQUEST_URL == $URL_OF_CURRENT_PAGE ) die ("Direct access not premitted");

Is there an easy way to do this?

 

AND THIS ANSWER:-

 

The easiest way is to set some variable in the file that calls include, such as

$including = true; 

Then in the file that's being included, check for the variable

if (!$including) exit("direct access not permitted");

AND THESE COMMENTS:-

2  

This is dangerous if register_globals is on. –  jmucchiello Jan 3 '09 at 18:51

11  

PHP is dangerous if register_globals is on. –  David Precious Jan 3 '09 at 18:56

 

 

MY QUESTION IS that please can someone explain why and how this is a dangerous menthod and if it should be used or not.

I have actually used this technique, There is a php file which is accessed as a hyperlink from the index file. When I use that link, it gives me an error saying that I cannot access that file directly. So does that mean that this technique won't work on hyperlinked files? If not then what is the best way to ensure that hyprelinked files are not accessed directly?

 

Thanks a lot everyone on the forum.

 

 

[mac_gyver]

the issue with register_globals is you can set any php variable by setting the same name $_GET, $_POST, $_COOKIE variable.

 

if someone knows your code in the included file is testing $including, they can simply add ?including=1 in the url when they request your included file and the if (!$including) statement will allow access to the file.

 

there is/was a lot of open-source scripts that used this method, since the variable name was known by examining the script, and a lot of sites where taken over.

 

fortunately, register_globals has finally been removed in php5.4.

 

a better way is to use a defined constant instead of a variable (register_globals cannot supply a value for a defined constant.)

 

an even better way, since it completely eliminates any processing time for the files, is to put the included files into a folder that cannot be directly accessed via url requests.

Edited October 16, 2013 by mac_gyver

[ajoo]

Hey thanks ! yes  I am now trying and using the define to define a constant.  However what about a file that I have to access using a href defined hyperlink? What's the way to prevent direct access to that file other than what you suggested of putting the files into a folder other than the root. Please suggest something. Thanks !

[mac_gyver]

your thread is about protecting included files against direct url requests. included files are support files that are incorporated into and used by a web page. included files should be accessed through the file system, not a url. you shouldn't have any intentional url links to an included file.

 

if this doesn't address your question, please post an actual example showing what you are trying to do.

[ajoo]

yea hi ! ok so this one file is not an included file. It's a PHP file, say second.php which is invoked by a hyperlink on the main webpage index.php. Now i don't want to give a direct access to it so i asked if something similar like defining a constant and then checking for it in the second.php , once the hyperlink was pressed in index.php, could be used to prevent direct access to this file second.php. 

 

I am actually thinking of using sessions to prevent direct accesss to this one - (a hyperlink invoked file).

 

Thanks. 

[Ch0cu3r]

If you're directly linking to secound.php in a hyperlink, like 

<a href="http://yoursite.com/secound.php">Link</a>

 then you cannot prevent direct access to that file, as you are linking directly to it.

 

Are you only wanting to prevent access to secound.php if the user has not been to index.php first?

Edited October 16, 2013 by Ch0cu3r

[ajoo]

yes that's exactly correct. yes I don't want someone to go to secound.php from anywhere else except the hyperlink so i guess sessions is the best way to ensure it. Maybe You can suggest something else. Thanks

[Ch0cu3r]

You could set session variable, $_SESSION['can_access'] to true in index.php

$_SESSION['can_access'] = true; 

Then in secound.php check if this session variable exists at the top of the page

<?php
session_start();

// kill the page if the access variable doesn't exists
//            or if the access variable does exist but is not set to true
if(!isset($_SESSION['can_access']) || (isset($_SESSION['can_access']) && $_SESSION['can_access'] !== true))
{
   die('You cannot directly access this page!'); // kill the page display error
}

// rest of page code

Edited October 18, 2013 by Ch0cu3r

[ajoo]

Thanks you so much !

[Irate]

Try .htaccess to generate 403 errors when accessing the script, if you have an Apache server running.

 

ErrorDocument 403 /path/to/file.php

[mac_gyver]

@Irate, please read and understand the thread before posting replies.

 

it turns out the OP wants someone to be able to visit a page, but only by first visiting a preceding page.

[Irate]

Hrmpf, I guess my reading skills were better at another time. I apologize.

[ajoo]

MacGyver is right but Thanks none the less, gives me something else to check and read about.

[dc909]

Hello everyone. I am NOT a programmer and have very limited knowledge of PHP. I found the information on this thread somewhat useful, well it worked once, but it's not working!!

I purchased a custom coded website and I wanted to make it a "members only" website, so I looked around and found the WYSIWYG web builder, that helped me create a log in page, a sign up page etc. My login page is named "default.php", and if the username and password is correct it takes you to "index.php", which is the main page of the actual website. I want to make sure that no one can access "index.php" or any other page without first going through the log in page "default.php".

 

I tried the code you presented here and it worked,

 

I put this code in "default.php":

$_SESSION['can_access'] = true;

 

and this code in "index.php"

 

session_start();

// kill the page if the access variable doesn't exists
//            or if the access variable does exist but is not set to true
if(!isset($_SESSION['can_access']) || (isset($_SESSION['can_access']) && $_SESSION['can_access'] !== true))
{
   die('You cannot directly access this page!'); // kill the page display error
}

 

The first time it worked, I logged in and went to the index page, and I was not able to go directly to "index.php" if I typed it into my browser! woohooo

but after that first time, I get the error message every time I log in, and I can't get to "index.php" .Any ideas about what I'm missing here? Please remember I'm new to all this. I can copy and paste whatever code you provide, and see if it works, that's about it.

[ajoo]

Hi dc909, 

 

Stumbled on this old mail by chance.

 

try this:

 

in default.php add the line 

 

define('GOPASS',true);

 

 

in index.php add the following line:

 

if(!defined('GOPASS')) die('cannot execute this file directly');

 

hope it helps.