Non-Executable URL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
asterix299
Forum Newbie
Posts: 7
Joined: Sun Jan 03, 2010 9:02 pm

Non-Executable URL

Post by asterix299 »

Hello,

I have a few pages that load another php page into divs dynamically through AJAX. The script makes a call to a php file (fetch.php) that includes the page that the script requested. I would like to make it so that these pages can ONLY be loaded by fetch.php, not by themselves by typing in their URL.

So say I have the file "example.php," I want to make it so it can only be executed if included by fetch.php, not by typing in "example.com/example.php."
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Non-Executable URL

Post by AbraCadaver »

Often times people do it like this:

fetch.php

Code: Select all

define('FETCHING', true);
//include stuff
example.php

Code: Select all

if(!defined('FETCHING')) { die(); }
//whatever stuff
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
asterix299
Forum Newbie
Posts: 7
Joined: Sun Jan 03, 2010 9:02 pm

Re: Non-Executable URL

Post by asterix299 »

Ah good deal. For some reason I always get into such complex problems and forget there are simple solutions. Thanks.
Alkis
Forum Commoner
Posts: 31
Joined: Fri Mar 26, 2010 8:41 am

Re: Non-Executable URL

Post by Alkis »

I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.

Or is there something that I don't get?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Non-Executable URL

Post by John Cartwright »

By including a file that has a defined constant, and checking against the existence of the constant, will make the file not executable directly. The best approach to removing access publicly to this file is to put it outside your webroot, and including it as you are doing so currently.
Alkis
Forum Commoner
Posts: 31
Joined: Fri Mar 26, 2010 8:41 am

Re: Non-Executable URL

Post by Alkis »

But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.

Unless you mean something else.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Non-Executable URL

Post by John Cartwright »

Alkis wrote:But if you are using JavaScript to call a php file, (it is Ajax, right?) you have to have a php file that will be public accessible from the js call, otherwise JavaScript cannot communicate with it.
Right. I was referring to putting files you do not want public should be placed outside the document root.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Non-Executable URL

Post by AbraCadaver »

Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.

Or is there something that I don't get?
The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
asterix299
Forum Newbie
Posts: 7
Joined: Sun Jan 03, 2010 9:02 pm

Re: Non-Executable URL

Post by asterix299 »

AbraCadaver wrote:
Alkis wrote:I am actually curious as to how declaring a constant even on either sides, ensure that the JavaScript requesting the php file will be the only one allowed to do so.

Or is there something that I don't get?
The poster didn't ask about how to restrict only the javascript from calling the page. They asked how to make sure that example.php, etc. could only be called from fetch.php, though they mentioned that they were using some ajax in the mix.
Correct. The javascript accesses fetch.php, therefore it never needs to communicate directly with the file.

As for the outside web root idea, I think the constant idea is actually better. I changed the behavior from the suggestion to use header() to relocate the user to a 404 page. Thus the illusion of a non-existing file, and I don't have to scatter files outside my webroot.
Post Reply