Petsmacker Posted February 3, 2008 Share Posted February 3, 2008 Hey there, I need to make it impossible for anyone to load up a PHP page on my site directly in their browser. It should only be allowed to be 'included' by PHP using the include() function. It also needs to be picked at by a few AJAX scripts. Is there a secure way of doing this without htaccess scripts? Such as CHMOD? Any help would be appreciated. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted February 3, 2008 Share Posted February 3, 2008 it would be impossible to do a still accept AJAX there is no way to tell between AJAX commands and general browser viewing you can check POST vars sent by AJAX but anyone can create those POST vars to view your page Scott. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted February 3, 2008 Share Posted February 3, 2008 If you put your files to be included one directory level UP from the root, no one will be able to access them directly, and PHP can still include them. But I'm not sure if Javascript can access them though.. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted February 3, 2008 Share Posted February 3, 2008 if you put them one level up there is no way AJAX could access them Scott. Quote Link to comment Share on other sites More sharing options...
papaface Posted February 3, 2008 Share Posted February 3, 2008 This is easy. Do this: includefile.php: if ($include != 1) { exit; } //some code that you want to process if the file is included file.php $include = 1; include("includefile.php"); Thats it. You won't be able to run the includefile.php by accessing it directly. You can easily adapt this to check for $_GET values in a URL instead of a variable. Quote Link to comment Share on other sites More sharing options...
trq Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Quote Link to comment Share on other sites More sharing options...
Aureole Posted February 3, 2008 Share Posted February 3, 2008 I do something like... if( !defined( 'SOMETHING', 1 ) ) { echo( '<h1>You may not access this file directly.</h1>' ); exit; } Then before I include any files, I just do: define( 'SOMETHING', 1 ); Quote Link to comment Share on other sites More sharing options...
papaface Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Quote Link to comment Share on other sites More sharing options...
trq Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Probably a good point. I don't keep many php files in my web root so don't usually need to worry. Quote Link to comment Share on other sites More sharing options...
EchoFool Posted February 3, 2008 Share Posted February 3, 2008 An easier method is.... <?php if ($_SERVER['PHP_SELF' == '/' . basename(__FILE__)) { exit(); } ?> Are you sure? I heard that $_SERVER['PHP_SELF'] can be unreliable. Probably a good point. I don't keep many php files in my web root so don't usually need to worry. What is so un-reliable about that? I use PHP_SELF all the time. Or you could do: Include("include.php?38383"); Then in the include If isset($_GET['38383']){ do script }else{ die; } Quote Link to comment Share on other sites More sharing options...
Petsmacker Posted February 3, 2008 Author Share Posted February 3, 2008 Thank you very much for your responses, I will definitely look further into your suggestions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.