Security Help

[Archadian]

How can i check to see if a certain script was pulled with include() or check to see if the server pulled it rather than someone going to the script directly through the URL? Thanks

[Archadian]

bump - anyone know what i could use to do this? Thanks

[SharkBait]

Think the only way would be to look at your web server's apache logs and search that for the file you're looking for.

 

 

[Archadian]

Im just trying to keep everyone out of the script except my server, such as include(), in other words i want the server to be the only thing that can view/use the script.

[redarrow]

lookup mod_rewrite or .htaccess

[Archadian]

I don't have Apache, im looking for PHP code to do this

[akitchin]

a simple but very brutish way to do this is to check for a defined var.  for example:

 

<?php
$included = TRUE;
include("file.php");
?>

 

and in file.php, do:

 

<?php
if ($included !== TRUE)
{
  exit;
}
?>

 

this will ensure that the file exist unless $included (which can be anything you name it) is defined.  as i said, this is a very inelegant solution - for a more fundamental solution, a cursory glance at the $_SERVER predefined vars may help.  i vaguely recall one of them telling you the actual script in which the current file is running (which will tell you whether another script is calling the page or whether it's being executed directly).

[akitchin]

nevermind, i guess i was mistaken about $_SERVER.

[Archadian]

i figured it out for anyone that would like to know for future reference here it is:

 

put this at the top of your index page between <?php ?>:

 

define('SOMETHING_HERE', true);

 

then on any of your scripts that you only want your server to use it put this:

 

if (!defined('SOMETHING_HERE')) {	

die('Restricted!');

}
else {

// your code here


}

 

This works even if they visit your index.php. Thanks everyone for the help