Prevent direct access to PHP file

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jaysmizzle
Forum Newbie
Posts: 9
Joined: Fri May 01, 2009 2:55 am

Prevent direct access to PHP file

Post by jaysmizzle »

I need to prevent someone from having direct access to a php file but at the same time allow it to display images on my html page. I have an images folder with a random.php file in it. This random.php file displays a random image on my index.html page. However, someone can easily just type in 'http://www.mysite.com/images/random.php' and be taken to a blank white page with my random pics displayed, which I obviously don't want to happen. I tried uploading an htaccess file to the images directory that would deny all access to the files within, but it also prevents my images from being displayed on my index.html page. Thanks for the help.
crazycoders
Forum Contributor
Posts: 260
Joined: Tue Oct 28, 2008 7:48 am
Location: Montreal, Qc, Canada

Re: Prevent direct access to PHP file

Post by crazycoders »

Well, the problem lies in the fact that you wish it was a browser only that could access that file but you have to understand that whatever the way it is done, it's always a browser that requests the access to random.php.

A way you could actually fix this is to use a session variable in your mainpage such as:

Code: Select all

 
$_SESSION['allowaccesstorandom']++;
 
And when the user actually tries to get random.php you do:

Code: Select all

 
if($_SESSION['allowaccesstorandom'] == ){
//return a forbidden header
}else{
$_SESSION['allowaccesstorandom']--;
}
 
//Pursue the functionality of returning a random image through a fopen or something like that!
 
Do you think that would solve your problem?
Last edited by Benjamin on Wed May 13, 2009 4:05 pm, edited 1 time in total.
Reason: Changed code type from text to php.
jaysmizzle
Forum Newbie
Posts: 9
Joined: Fri May 01, 2009 2:55 am

Re: Prevent direct access to PHP file

Post by jaysmizzle »

A session variable wouldn't work in html though, right? The page that I want the images to display on is an html page. I tried inserting

Code: Select all

$_SESSION['allowaccesstorandom']++;
into it but it wouldn't work. I'm very green on this stuff.
crazycoders
Forum Contributor
Posts: 260
Joined: Tue Oct 28, 2008 7:48 am
Location: Montreal, Qc, Canada

Re: Prevent direct access to PHP file

Post by crazycoders »

No indeed, your page would need php support in this case. With no server side language available, there is no way to prevent this as this is the way web works, there are no difference between a request a browser makes automatically to get a resource and a request done by a user trying out the URL by hand!
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Prevent direct access to PHP file

Post by Darhazer »

Additionally, using .htaccess, you can disable access only to the PHP file, but since you have to allow it if the user opens your index page, you have to deny it only if the referrer is not your web page
In this way, typing the URL in the browser won't open the image, while it will continue to works on your web site. But please note that experienced user can send the referrer header, still not opening your web site.

Code: Select all

RewriteCond %{HTTP_REFERER} !(^www\.)?example.com
RewriteRule ^random\.php$ http://www.example.com/ [L]
This will redirect the visitor to the site, but I'm sure you can also send him HTTP 403 message.

P.S. You have to enable mod_rewrire (RewriteEngine On in the .htaccess) to use this
Last edited by Darhazer on Thu May 14, 2009 3:48 pm, edited 1 time in total.
crazycoders
Forum Contributor
Posts: 260
Joined: Tue Oct 28, 2008 7:48 am
Location: Montreal, Qc, Canada

Re: Prevent direct access to PHP file

Post by crazycoders »

Nice solution! i'll bookmark that
Post Reply