Petsmacker Posted February 3, 2008 Share Posted February 3, 2008 Hey there, I need to make it impossible for anyone to load up a PHP page on my site directly in their browser. It should only be allowed to be 'included' by PHP using the include() function. It also needs to be picked at by a few AJAX scripts. Is there a secure way of doing this without htaccess scripts? Such as CHMOD? Any help would be appreciated. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/ Share on other sites More sharing options...
ratcateme Posted February 3, 2008 Share Posted February 3, 2008 it would be impossible to do a still accept AJAX there is no way to tell between AJAX commands and general browser viewing you can check POST vars sent by AJAX but anyone can create those POST vars to view your page Scott. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456619 Share on other sites More sharing options...
thebadbad Posted February 3, 2008 Share Posted February 3, 2008 If you put your files to be included one directory level UP from the root, no one will be able to access them directly, and PHP can still include them. But I'm not sure if Javascript can access them though.. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456641 Share on other sites More sharing options...
ratcateme Posted February 3, 2008 Share Posted February 3, 2008 if you put them one level up there is no way AJAX could access them Scott. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456644 Share on other sites More sharing options...
papaface Posted February 3, 2008 Share Posted February 3, 2008 This is easy. Do this: includefile.php: if ($include != 1) { exit; } //some code that you want to process if the file is included file.php $include = 1; include("includefile.php"); Thats it. You won't be able to run the includefile.php by accessing it directly. You can easily adapt this to check for $_GET values in a URL instead of a variable. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456650 Share on other sites More sharing options...
trq Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456663 Share on other sites More sharing options...
Aureole Posted February 3, 2008 Share Posted February 3, 2008 I do something like... if( !defined( 'SOMETHING', 1 ) ) { echo( '<h1>You may not access this file directly.</h1>' ); exit; } Then before I include any files, I just do: define( 'SOMETHING', 1 ); Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456682 Share on other sites More sharing options...
papaface Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456788 Share on other sites More sharing options...
trq Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Probably a good point. I don't keep many php files in my web root so don't usually need to worry. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456794 Share on other sites More sharing options...
EchoFool Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Probably a good point. I don't keep many php files in my web root so don't usually need to worry. What is so un-reliable about that? I use PHP_SELF all the time. Or you could do: Include("include.php?38383"); Then in the include If isset($_GET['38383']){ do script }else{ die; } Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456828 Share on other sites More sharing options...
Petsmacker Posted February 3, 2008 Author Share Posted February 3, 2008 Thank you very much for your responses, I will definitely look further into your suggestions. Link to comment https://forums.phpfreaks.com/topic/89173-solved-deny-direct-access-to-php-file/#findComment-456855 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.