Page 1 of 1

Prevent Direct Access to ! index.php

Posted: Wed Nov 23, 2011 5:02 pm
by Hermit TL
I'm working on a site where are scripts are loaded through index.php
What is the best way to prevent people from accessing other scripts on the site directly?
I'm currently using something like this:

Code: Select all

if (security_filter($_SERVER['PHP_SELF'],"string") != "/index.php"){ echo "ACCESS DENIED"; exit(); }
Don't worry about security_filter() so basically I'm using:

Code: Select all

if ($_SERVER['PHP_SELF'] != "/index.php"){ echo "ACCESS DENIED"; exit(); }
in every page to prevent people from directly accessing other scripts.

Re: Prevent Direct Access to ! index.php

Posted: Wed Nov 23, 2011 5:57 pm
by pickle
Use mod_rewrite to redirect all requests to index.php (except maybe image files & css files). In your index.php file, you can check in $_SERVER what page he person was actually requesting and go from there.

Also, PHP_SELF may not always be set so it's not 100% safe to use. In most cases you can accomplish the same with $_SERVER['SCRIPT_NAME']

Re: Prevent Direct Access to ! index.php

Posted: Wed Nov 23, 2011 6:02 pm
by McInfo
Ideally, you would store sensitive scripts outside the document root so they could not be accessed over HTTP. If your host does not give you access to such a directory, you can put your scripts in a private directory which is password-protected.

Apache HTTP Server: Authentication, Authorization and Access Control