Direct file accessing

[markspec87]

Ive seen on CMS' like PHPnuke when you access certain files that simply process data or just arent meant to be accessed, it says "you cannot access this file directly".

How do you go about doing that?

I want to protect some of my admin files that add database information but would prefer not to go through making them admin only. Id rather have nobody be able to use them unless theyve been referred from one of the CMS forms etc.

any ideas?

[Fallen_angel]

chmoding your files with a custom errorpage would do this although it can have adverse effects and make scripts stop working because you must always remember that the script isn't goign to access the file as an owner it will be a guest , or at best with a bit of fancy coding a user

alwasy be carefull and take notes when chmoding yoru web dir just so if anythign stops workign you can jsut roll it back

[btherl]

Normally you would do that with .htaccess files, assuming you are using Apache as the webserver.

Alternatively, you could put code at the top of each sensitive script which checks if it was included from the CMS or being called directly.  The CMS can set a variable which the sensitive code can check before executing.  If the variable is set, it runs as usual.  If it's not set, then it displays an error message.

Or to be truly paranoid, you can combine both methods :)

[mansuang]

Try $_SERVER['HTTP_REFERER'] to refer where is the page opened from

[code]
<?php
if ($_SERVER['HTTP_REFERER']!= 'someurl.com/referer.php') {
   echo "you cannot access this file directly";
    exit;
}
?>
[/code]

[btherl]

mansuang, I think he's looking at protecting files which should only be included, rather than files which should only be linked to from the CMS.