Page 1 of 1
Prevent direct access to PHP file
Posted: Wed May 13, 2009 12:04 pm
by jaysmizzle
I need to prevent someone from having direct access to a php file but at the same time allow it to display images on my html page. I have an images folder with a random.php file in it. This random.php file displays a random image on my index.html page. However, someone can easily just type in '
http://www.mysite.com/images/random.php' and be taken to a blank white page with my random pics displayed, which I obviously don't want to happen. I tried uploading an htaccess file to the images directory that would deny all access to the files within, but it also prevents my images from being displayed on my index.html page. Thanks for the help.
Re: Prevent direct access to PHP file
Posted: Wed May 13, 2009 2:30 pm
by crazycoders
Well, the problem lies in the fact that you wish it was a browser only that could access that file but you have to understand that whatever the way it is done, it's always a browser that requests the access to random.php.
A way you could actually fix this is to use a session variable in your mainpage such as:
Code: Select all
$_SESSION['allowaccesstorandom']++;
And when the user actually tries to get random.php you do:
Code: Select all
if($_SESSION['allowaccesstorandom'] == ){
//return a forbidden header
}else{
$_SESSION['allowaccesstorandom']--;
}
//Pursue the functionality of returning a random image through a fopen or something like that!
Do you think that would solve your problem?
Re: Prevent direct access to PHP file
Posted: Wed May 13, 2009 2:54 pm
by jaysmizzle
A session variable wouldn't work in html though, right? The page that I want the images to display on is an html page. I tried inserting
Code: Select all
$_SESSION['allowaccesstorandom']++;
into it but it wouldn't work. I'm very green on this stuff.
Re: Prevent direct access to PHP file
Posted: Wed May 13, 2009 3:07 pm
by crazycoders
No indeed, your page would need php support in this case. With no server side language available, there is no way to prevent this as this is the way web works, there are no difference between a request a browser makes automatically to get a resource and a request done by a user trying out the URL by hand!
Re: Prevent direct access to PHP file
Posted: Thu May 14, 2009 3:24 pm
by Darhazer
Additionally, using .htaccess, you can disable access only to the PHP file, but since you have to allow it if the user opens your index page, you have to deny it only if the referrer is not your web page
In this way, typing the URL in the browser won't open the image, while it will continue to works on your web site. But please note that experienced user can send the referrer header, still not opening your web site.
Code: Select all
RewriteCond %{HTTP_REFERER} !(^www\.)?example.com
RewriteRule ^random\.php$ http://www.example.com/ [L]
This will redirect the visitor to the site, but I'm sure you can also send him HTTP 403 message.
P.S. You have to enable mod_rewrire (RewriteEngine On in the .htaccess) to use this
Re: Prevent direct access to PHP file
Posted: Thu May 14, 2009 3:44 pm
by crazycoders
Nice solution! i'll bookmark that