Let a Script Access but Not View
Moderator: General Moderators
-
TheUglyDuckling
- Forum Newbie
- Posts: 3
- Joined: Mon Sep 13, 2004 7:11 pm
Let a Script Access but Not View
I have some html fragments (a header and footer, as well as some messy internals) that I include into my end html files using Server Side Includes.
The end result is that all of the code (from the client's point of view) is in the end html file (which is a good thing).
But... is there any way to make it so that my html file can access these html fragments (to insert them before sending it to the browser), but users can't access them directly (by typing the filename into the browser path)?
Ex:
I have the external html fragment extheader.htmlf included into my html document.
chmod u=rwx go=r extheader.htmlf <-- include can access, so can user (if they type "http://.../extheader.htmlf" into their browser; I don't want this).
??? <-- include can access, but user cannot (this is what I'm looking for).
chmod u=rwx go= extheader.htmlf <-- neither include nor user can access (I don't want this).
I've had a similar problem with CGI-Perl scripts where the user can view the internals of my CGI-Bin if they know the filenames.
I'm sure there's a simple answer, but I don't know what it is. Help, anybody?
Thanks in advance,
TheUglyDuckling
The end result is that all of the code (from the client's point of view) is in the end html file (which is a good thing).
But... is there any way to make it so that my html file can access these html fragments (to insert them before sending it to the browser), but users can't access them directly (by typing the filename into the browser path)?
Ex:
I have the external html fragment extheader.htmlf included into my html document.
chmod u=rwx go=r extheader.htmlf <-- include can access, so can user (if they type "http://.../extheader.htmlf" into their browser; I don't want this).
??? <-- include can access, but user cannot (this is what I'm looking for).
chmod u=rwx go= extheader.htmlf <-- neither include nor user can access (I don't want this).
I've had a similar problem with CGI-Perl scripts where the user can view the internals of my CGI-Bin if they know the filenames.
I'm sure there's a simple answer, but I don't know what it is. Help, anybody?
Thanks in advance,
TheUglyDuckling
-
jakobdoppler
- Forum Commoner
- Posts: 46
- Joined: Wed May 21, 2003 6:16 pm
Hi
in your main script, try defining some variable, that you request in the file that should be included. (E.g. here are PHP Session vars of good use.)
e.g.
Then include in the main
So if you try calling include.php directly, you fail.
Err ..hope this is correct now. Not tested, but it should work.
*hth* _yak
in your main script, try defining some variable, that you request in the file that should be included. (E.g. here are PHP Session vars of good use.)
e.g.
Code: Select all
<?php
if (!isset($checkVar)) {
die(); //no Access
}
//else proceed content
?>Code: Select all
<?php
$checkVar=1;
include('include.php');
?>Err ..hope this is correct now. Not tested, but it should work.
*hth* _yak
-
TheUglyDuckling
- Forum Newbie
- Posts: 3
- Joined: Mon Sep 13, 2004 7:11 pm
Thanks, jakobdoppler. It's better than nothing. The only problem that I see with it is that the $checkVar=1 in the main file is public (viewable by anyone) so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
Does anybody have a more robust solution? One where the script is not accessable by the for any reason? Part of the beauty of Server Side Includes is that everything is processed by the server, and not by the user's computer (I don't want the user to be able to access the code in any way).
TheUglyDuckling
Does anybody have a more robust solution? One where the script is not accessable by the for any reason? Part of the beauty of Server Side Includes is that everything is processed by the server, and not by the user's computer (I don't want the user to be able to access the code in any way).
TheUglyDuckling
i was wondering this and this guy may be able to use this info.. if I make a folder and throw all my private files in it and htpasswd the folder, and then include files from that folder in a php file which will be viewed publically and resides in a non-htpasswd protected folder, will the server force the user to enter the htpasswd before viewing the file, since the file which is included is in a folder which is protected?? thanks 
-
TheUglyDuckling
- Forum Newbie
- Posts: 3
- Joined: Mon Sep 13, 2004 7:11 pm
Depends more on how bad the server is configuredSami wrote:People can't just view the source of your PHP files. No matter how "good" they are.so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
Or when the sysadmin upgrades php version etc...
Yeah of course in the worst case senerio it's very possible. But in reality most people would be running scripts on a half decent server at a web host who knows what they are doing.timvw wrote:Depends more on how bad the server is configuredSami wrote:People can't just view the source of your PHP files. No matter how "good" they are.so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
Or when the sysadmin upgrades php version etc...