Jump to content

Recommended Posts

Hi All,

 

I am looking into different methods to prevent users from directly accessing a php file. For example, if you have a form with an action="whatever.php" on it, a user can inspect the element in see in the DOM what the action is as well as the file path to that action. As shown in the form below:

<form id="contact" name="contact" method="POST" action="php/process.php">
            
            <input type="text" value="email" name="email" id="email" class="width" >
            <input type="submit" value="Submit" name="submit" id="submit" class="button">
            
</form> 

The action is "process.php." What are some of the different methods that prevents a user from typing that URL into the address bar and going directly to the file? 

 

Right now, if a user goes to that file they get an error that says something like "The variable $email does not exist." But someone can just type that parameter into the URL and the file would be exposed.

 

One method that comes to mind is checking if "submit" is set. Then if it is not, redirect the user back to index.php. 

 

Does that make sense? Does anyone have any other methods in mind?

 

Thanks in advance,

 

Link to comment
https://forums.phpfreaks.com/topic/284029-prevent-direct-access-to-php-file/
Share on other sites

$_SERVER['SCRIPT_FILENAME']

$_SERVER['REQUEST_URI']
$_SERVER['HTTP_REFERER']
get_included_files() or get_required_files() 

But as he says, a sophisticated attacker is often able to spoof $_SERVER variables and bypass such things.

$_SERVER['SCRIPT_FILENAME']

$_SERVER['REQUEST_URI']

1. Won't tell you anything you didn't already know.

2. Will have the same values for valid and forged requests.

 

$_SERVER['HTTP_REFERER']

Easily spoofable. Besides, sometimes a browser may not send that information with a legitimate request so don't rely on it anyways.

 

get_included_files() or get_required_files()

I don't see how those can help here.

 

 

You cannot tell the difference between a browser submitting a legitimate request and a slightly motivated attacker. As .josh said, code your script to handle unusual circumstances gracefully.

We are having the exact same issue with a large project we are working on at the moment, we've tried all sorts with the non-included files (such as AJAX/Form Submission) and not really found a solution that was worth spending a huge amount of time on, aslong as your code is clean and you clean all the data coming in you should be OK. We have a database stored session system that provides a level of cover against actioning the scripts but at the end of the day you'll struggle to completly stop direct access.

 

On the other hand any files that you include within your script can be protected by defining a value, like something below:

 

In your top level files:

define("IN_SCRIPT", 1);

Then in any files that are included:

if(!defined("IN_SCRIPT"))
{
	die("You are not allowed to run this file directly.");
}

This won't work for any client side scripts such as ajax calls though.

The whole question is a bit fuzzy.  OP, what's your reason for not wanting a client to access "process.php"?  If it does something when accessed directly that you don't want it to do, rewrite the script. ;)

 

You can certainly keep people away from include files:

<?php define(CALLER,"/path/to/caller.php"); $list = get_included_files(); if (in_array(CALLER,$list)) {   echo "inc.php is included!<br>";} else {   echo "I'm inc.php, but I'm dying because I was called by someone who isn't my caller.";   exit;} // ...



Form handlers are a bit tricky, but I'm not sure why this is a question.  The form handler shouldn't "expose" anything if you don't want it to ... although usually it would do form checking and output an error report of some kind.

Process.php is a super secret PHP form handling script that I use on all of my super secret websites. No, I'm just kidding. I was just creating a contact form for a site I am building and I was going over all of the worst case scenarios. I wanted to get some input on this one. You know, stir up some conversation on the topic.

 

I guess the solution is just to code better. 

 

:thumb-up:

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.