ajoo Posted October 16, 2013 Share Posted October 16, 2013 Hi, searching for this very common question as in subject, I CAME ACROSS THE FOLLOWING QUESTION:- I have a php file which I will be using as exclusively as an include. Therefore I would like to throw an error instead of executing it when it's accessed directly by typing in the URL instead of being included. Basically I need to do a check as follows in the php file: if ( $REQUEST_URL == $URL_OF_CURRENT_PAGE ) die ("Direct access not premitted"); Is there an easy way to do this? AND THIS ANSWER:- The easiest way is to set some variable in the file that calls include, such as $including = true; Then in the file that's being included, check for the variable if (!$including) exit("direct access not permitted"); AND THESE COMMENTS:- 2 This is dangerous if register_globals is on. – jmucchiello Jan 3 '09 at 18:51 11 PHP is dangerous if register_globals is on. – David Precious Jan 3 '09 at 18:56 MY QUESTION IS that please can someone explain why and how this is a dangerous menthod and if it should be used or not. I have actually used this technique, There is a php file which is accessed as a hyperlink from the index file. When I use that link, it gives me an error saying that I cannot access that file directly. So does that mean that this technique won't work on hyperlinked files? If not then what is the best way to ensure that hyprelinked files are not accessed directly? Thanks a lot everyone on the forum. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/ Share on other sites More sharing options...
mac_gyver Posted October 16, 2013 Share Posted October 16, 2013 (edited) the issue with register_globals is you can set any php variable by setting the same name $_GET, $_POST, $_COOKIE variable. if someone knows your code in the included file is testing $including, they can simply add ?including=1 in the url when they request your included file and the if (!$including) statement will allow access to the file. there is/was a lot of open-source scripts that used this method, since the variable name was known by examining the script, and a lot of sites where taken over. fortunately, register_globals has finally been removed in php5.4. a better way is to use a defined constant instead of a variable (register_globals cannot supply a value for a defined constant.) an even better way, since it completely eliminates any processing time for the files, is to put the included files into a folder that cannot be directly accessed via url requests. Edited October 16, 2013 by mac_gyver Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454140 Share on other sites More sharing options...
ajoo Posted October 16, 2013 Author Share Posted October 16, 2013 Hey thanks ! yes I am now trying and using the define to define a constant. However what about a file that I have to access using a href defined hyperlink? What's the way to prevent direct access to that file other than what you suggested of putting the files into a folder other than the root. Please suggest something. Thanks ! Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454146 Share on other sites More sharing options...
mac_gyver Posted October 16, 2013 Share Posted October 16, 2013 your thread is about protecting included files against direct url requests. included files are support files that are incorporated into and used by a web page. included files should be accessed through the file system, not a url. you shouldn't have any intentional url links to an included file. if this doesn't address your question, please post an actual example showing what you are trying to do. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454147 Share on other sites More sharing options...
ajoo Posted October 16, 2013 Author Share Posted October 16, 2013 yea hi ! ok so this one file is not an included file. It's a PHP file, say second.php which is invoked by a hyperlink on the main webpage index.php. Now i don't want to give a direct access to it so i asked if something similar like defining a constant and then checking for it in the second.php , once the hyperlink was pressed in index.php, could be used to prevent direct access to this file second.php. I am actually thinking of using sessions to prevent direct accesss to this one - (a hyperlink invoked file). Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454152 Share on other sites More sharing options...
Ch0cu3r Posted October 16, 2013 Share Posted October 16, 2013 (edited) If you're directly linking to secound.php in a hyperlink, like <a href="http://yoursite.com/secound.php">Link</a> then you cannot prevent direct access to that file, as you are linking directly to it. Are you only wanting to prevent access to secound.php if the user has not been to index.php first? Edited October 16, 2013 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454153 Share on other sites More sharing options...
ajoo Posted October 18, 2013 Author Share Posted October 18, 2013 yes that's exactly correct. yes I don't want someone to go to secound.php from anywhere else except the hyperlink so i guess sessions is the best way to ensure it. Maybe You can suggest something else. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454408 Share on other sites More sharing options...
Solution Ch0cu3r Posted October 18, 2013 Solution Share Posted October 18, 2013 (edited) You could set session variable, $_SESSION['can_access'] to true in index.php $_SESSION['can_access'] = true; Then in secound.php check if this session variable exists at the top of the page <?php session_start(); // kill the page if the access variable doesn't exists // or if the access variable does exist but is not set to true if(!isset($_SESSION['can_access']) || (isset($_SESSION['can_access']) && $_SESSION['can_access'] !== true)) { die('You cannot directly access this page!'); // kill the page display error } // rest of page code Edited October 18, 2013 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454415 Share on other sites More sharing options...
ajoo Posted October 19, 2013 Author Share Posted October 19, 2013 Thanks you so much ! Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454509 Share on other sites More sharing options...
Irate Posted October 19, 2013 Share Posted October 19, 2013 Try .htaccess to generate 403 errors when accessing the script, if you have an Apache server running. ErrorDocument 403 /path/to/file.php Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454525 Share on other sites More sharing options...
mac_gyver Posted October 19, 2013 Share Posted October 19, 2013 @Irate, please read and understand the thread before posting replies. it turns out the OP wants someone to be able to visit a page, but only by first visiting a preceding page. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454529 Share on other sites More sharing options...
Irate Posted October 19, 2013 Share Posted October 19, 2013 Hrmpf, I guess my reading skills were better at another time. I apologize. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454543 Share on other sites More sharing options...
ajoo Posted October 20, 2013 Author Share Posted October 20, 2013 MacGyver is right but Thanks none the less, gives me something else to check and read about. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1454599 Share on other sites More sharing options...
dc909 Posted April 11, 2015 Share Posted April 11, 2015 Hello everyone. I am NOT a programmer and have very limited knowledge of PHP. I found the information on this thread somewhat useful, well it worked once, but it's not working!! I purchased a custom coded website and I wanted to make it a "members only" website, so I looked around and found the WYSIWYG web builder, that helped me create a log in page, a sign up page etc. My login page is named "default.php", and if the username and password is correct it takes you to "index.php", which is the main page of the actual website. I want to make sure that no one can access "index.php" or any other page without first going through the log in page "default.php". I tried the code you presented here and it worked, I put this code in "default.php": $_SESSION['can_access'] = true; and this code in "index.php" session_start();// kill the page if the access variable doesn't exists// or if the access variable does exist but is not set to trueif(!isset($_SESSION['can_access']) || (isset($_SESSION['can_access']) && $_SESSION['can_access'] !== true)){ die('You cannot directly access this page!'); // kill the page display error} The first time it worked, I logged in and went to the index page, and I was not able to go directly to "index.php" if I typed it into my browser! woohooo but after that first time, I get the error message every time I log in, and I can't get to "index.php" .Any ideas about what I'm missing here? Please remember I'm new to all this. I can copy and paste whatever code you provide, and see if it works, that's about it. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1508736 Share on other sites More sharing options...
ajoo Posted June 3, 2015 Author Share Posted June 3, 2015 Hi dc909, Stumbled on this old mail by chance. try this: in default.php add the line define('GOPASS',true); in index.php add the following line: if(!defined('GOPASS')) die('cannot execute this file directly'); hope it helps. Quote Link to comment https://forums.phpfreaks.com/topic/283021-preventing-direct-access-of-php-files/#findComment-1513116 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.