computermax2328 Posted November 18, 2013 Share Posted November 18, 2013 Hi All, I am looking into different methods to prevent users from directly accessing a php file. For example, if you have a form with an action="whatever.php" on it, a user can inspect the element in see in the DOM what the action is as well as the file path to that action. As shown in the form below: <form id="contact" name="contact" method="POST" action="php/process.php"> <input type="text" value="email" name="email" id="email" class="width" > <input type="submit" value="Submit" name="submit" id="submit" class="button"> </form> The action is "process.php." What are some of the different methods that prevents a user from typing that URL into the address bar and going directly to the file? Right now, if a user goes to that file they get an error that says something like "The variable $email does not exist." But someone can just type that parameter into the URL and the file would be exposed. One method that comes to mind is checking if "submit" is set. Then if it is not, redirect the user back to index.php. Does that make sense? Does anyone have any other methods in mind? Thanks in advance, Quote Link to comment Share on other sites More sharing options...
.josh Posted November 18, 2013 Share Posted November 18, 2013 there is no 100% way to prevent this. Quote Link to comment Share on other sites More sharing options...
computermax2328 Posted November 18, 2013 Author Share Posted November 18, 2013 Ok, so how about some work arounds? Any advice there? Quote Link to comment Share on other sites More sharing options...
dalecosp Posted November 18, 2013 Share Posted November 18, 2013 $_SERVER['SCRIPT_FILENAME'] $_SERVER['REQUEST_URI']$_SERVER['HTTP_REFERER']get_included_files() or get_required_files() But as he says, a sophisticated attacker is often able to spoof $_SERVER variables and bypass such things. Quote Link to comment Share on other sites More sharing options...
computermax2328 Posted November 18, 2013 Author Share Posted November 18, 2013 Hey Dalecosp, So you are saying that I could use something like $_SERVER['REQUEST_URI'] to say if it is this file then redirect them somewhere else or something like that? Quote Link to comment Share on other sites More sharing options...
.josh Posted November 18, 2013 Share Posted November 18, 2013 well, there are no workarounds. There's a few tricks to stave off the noobies and a few bots but overall it's ridiculously easy to circumvent. Basically you just need to restructure your script to handle direct requests elegantly. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 18, 2013 Share Posted November 18, 2013 $_SERVER['SCRIPT_FILENAME'] $_SERVER['REQUEST_URI'] 1. Won't tell you anything you didn't already know. 2. Will have the same values for valid and forged requests. $_SERVER['HTTP_REFERER']Easily spoofable. Besides, sometimes a browser may not send that information with a legitimate request so don't rely on it anyways. get_included_files() or get_required_files()I don't see how those can help here. You cannot tell the difference between a browser submitting a legitimate request and a slightly motivated attacker. As .josh said, code your script to handle unusual circumstances gracefully. Quote Link to comment Share on other sites More sharing options...
AaronClifford Posted November 18, 2013 Share Posted November 18, 2013 We are having the exact same issue with a large project we are working on at the moment, we've tried all sorts with the non-included files (such as AJAX/Form Submission) and not really found a solution that was worth spending a huge amount of time on, aslong as your code is clean and you clean all the data coming in you should be OK. We have a database stored session system that provides a level of cover against actioning the scripts but at the end of the day you'll struggle to completly stop direct access. On the other hand any files that you include within your script can be protected by defining a value, like something below: In your top level files: define("IN_SCRIPT", 1); Then in any files that are included: if(!defined("IN_SCRIPT")) { die("You are not allowed to run this file directly."); } This won't work for any client side scripts such as ajax calls though. Quote Link to comment Share on other sites More sharing options...
dalecosp Posted November 18, 2013 Share Posted November 18, 2013 The whole question is a bit fuzzy. OP, what's your reason for not wanting a client to access "process.php"? If it does something when accessed directly that you don't want it to do, rewrite the script. You can certainly keep people away from include files: <?php define(CALLER,"/path/to/caller.php"); $list = get_included_files(); if (in_array(CALLER,$list)) { echo "inc.php is included!<br>";} else { echo "I'm inc.php, but I'm dying because I was called by someone who isn't my caller."; exit;} // ... Form handlers are a bit tricky, but I'm not sure why this is a question. The form handler shouldn't "expose" anything if you don't want it to ... although usually it would do form checking and output an error report of some kind. Quote Link to comment Share on other sites More sharing options...
computermax2328 Posted November 18, 2013 Author Share Posted November 18, 2013 Process.php is a super secret PHP form handling script that I use on all of my super secret websites. No, I'm just kidding. I was just creating a contact form for a site I am building and I was going over all of the worst case scenarios. I wanted to get some input on this one. You know, stir up some conversation on the topic. I guess the solution is just to code better. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.