Page 1 of 1

Let a Script Access but Not View

Posted: Mon Sep 13, 2004 7:23 pm
by TheUglyDuckling
I have some html fragments (a header and footer, as well as some messy internals) that I include into my end html files using Server Side Includes.

The end result is that all of the code (from the client's point of view) is in the end html file (which is a good thing).

But... is there any way to make it so that my html file can access these html fragments (to insert them before sending it to the browser), but users can't access them directly (by typing the filename into the browser path)?

Ex:

I have the external html fragment extheader.htmlf included into my html document.

chmod u=rwx go=r extheader.htmlf <-- include can access, so can user (if they type "http://.../extheader.htmlf" into their browser; I don't want this).

??? <-- include can access, but user cannot (this is what I'm looking for).

chmod u=rwx go= extheader.htmlf <-- neither include nor user can access (I don't want this).

I've had a similar problem with CGI-Perl scripts where the user can view the internals of my CGI-Bin if they know the filenames.

I'm sure there's a simple answer, but I don't know what it is. Help, anybody?

Thanks in advance,
TheUglyDuckling

Posted: Mon Sep 13, 2004 7:44 pm
by jakobdoppler
Hi

in your main script, try defining some variable, that you request in the file that should be included. (E.g. here are PHP Session vars of good use.)
e.g.

Code: Select all

<?php
if (!isset($checkVar)) {
 die();  //no Access
}
//else proceed content
?>
Then include in the main

Code: Select all

&lt;?php
$checkVar=1;
include('include.php');
?&gt;
So if you try calling include.php directly, you fail.

Err ..hope this is correct now. Not tested, but it should work.
*hth* _yak

Posted: Mon Sep 13, 2004 7:51 pm
by TheUglyDuckling
Thanks, jakobdoppler. It's better than nothing. The only problem that I see with it is that the $checkVar=1 in the main file is public (viewable by anyone) so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.

Does anybody have a more robust solution? One where the script is not accessable by the for any reason? Part of the beauty of Server Side Includes is that everything is processed by the server, and not by the user's computer (I don't want the user to be able to access the code in any way).

TheUglyDuckling

Posted: Mon Sep 13, 2004 8:07 pm
by feyd
TheUglyDuckling, do not cross post, EVER.

Posted: Tue Sep 14, 2004 3:58 am
by timvw
Everything that should not be accessed by the visitor, should not be in the public html directory.

So put them in a non-public space, and include it from there.

Posted: Tue Sep 14, 2004 4:30 am
by fresh
i was wondering this and this guy may be able to use this info.. if I make a folder and throw all my private files in it and htpasswd the folder, and then include files from that folder in a php file which will be viewed publically and resides in a non-htpasswd protected folder, will the server force the user to enter the htpasswd before viewing the file, since the file which is included is in a folder which is protected?? thanks :)

Posted: Tue Sep 14, 2004 4:57 am
by timvw
no it will not ask for user/pass in that case.

but still, putting it in "real" non-public area, saves you the trouble from finding out how htpasswd works ;)

Posted: Tue Sep 14, 2004 9:52 am
by TheUglyDuckling
I've never been able to successfully include any files that were outside of my public_html folder.

Am I missing anything obvious? All of the permissions for go=r still, and I've tried both relative and absolute paths.

Thanks for your help so far,

TheUglyDuckling

Posted: Tue Sep 14, 2004 9:58 am
by m3mn0n
so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
People can't just view the source of your PHP files. No matter how "good" they are.

Posted: Tue Sep 14, 2004 10:05 am
by timvw
Sami wrote:
so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
People can't just view the source of your PHP files. No matter how "good" they are.
Depends more on how bad the server is configured ;)
Or when the sysadmin upgrades php version etc...

Posted: Tue Sep 14, 2004 10:17 am
by m3mn0n
timvw wrote:
Sami wrote:
so anybody who's any good at scripting would be able to access include.php by copying the original source, putting in urls for every relative path, and access the file.
People can't just view the source of your PHP files. No matter how "good" they are.
Depends more on how bad the server is configured ;)
Or when the sysadmin upgrades php version etc...
Yeah of course in the worst case senerio it's very possible. But in reality most people would be running scripts on a half decent server at a web host who knows what they are doing.

Posted: Wed Sep 15, 2004 8:45 am
by Pozor
hi guys,

why do you not include the files from a folder outside of the public html folder?
it is very easy with for instance:

[php_man]readfile[/php_man]

greez Pozor