How to deny direct access by url?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
evilclone
Forum Newbie
Posts: 5
Joined: Mon Oct 17, 2005 4:56 am

How to deny direct access by url?

Post by evilclone »

Hi, my problem is that I have a lot of php pages that need to be called by other specified php pages to work properly. This means that if someone try to access these pages directly by typing the url of these pages, he can do some damages. If I set session variable that have to be checked on every protected page I can get rid of this problem, but only a little. There's a lot of solution to crack my system.
Any ideas?
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Re: How to deny direct access by url?

Post by n00b Saibot »

evilclone wrote:There's a lot of solution to crack my system.
There is no point securing an inherently insecure system. This is not the correct way an app should be coded imo...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

when I want to disallow direct access of a script I use something like this:

Code: Select all

if($_SERVER['PATH_TRANSLATED'] == __FILE__) {
  die();
}
User avatar
phpdevuk
Forum Contributor
Posts: 220
Joined: Mon Jul 04, 2005 5:31 am
Location: UK
Contact:

Post by phpdevuk »

might be worth displaying some kind of error message and redirecting back to the correct page
evilclone
Forum Newbie
Posts: 5
Joined: Mon Oct 17, 2005 4:56 am

Post by evilclone »

feyd wrote:when I want to disallow direct access of a script I use something like this:

Code: Select all

if($_SERVER['PATH_TRANSLATED'] == __FILE__) {
  die();
}
The variable $_SERVER['PATH_TRANSLATED'] give me nothing in every situation @_@

@n00b Saibot: Yeah, maybe you're right but I started programming server side 2 weeks ago, so I donno all the tricks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the translated path may not be getting set by your server.. you can possibly use $_SERVER['SCRIPT_NAME'] with realpath() as an alternate.
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Post by Sequalit »

I have a solutionf or you man...

This is a easy way to secure your system...

first on your page that is calling other pages, use this command..

make sure to put it at the top of your script, it goes where session commands are set

Code: Select all

//session variables...
define("X",null);
//your page...
that will define a variable named varname..

now on your pages you dont want direct access too put this code

make sure this is the FIRST thing that is on the file!!!!

Code: Select all

if(!defined("X")){
	die("Hacking attempt...");//or you could redirect, whatever you want....
}

//your program
this should secure your pages you dont want to be accessed from typing it in the url without going through another page first.

what its doing is its defining the variable X for only that page...

and its checking if X is defined... if its not, well then it kills the script from executing, but if it is defined(going through the right page) then it continues normally...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

There is a simple solution: If people are not allowed to browse to files, simply place them outside your webdirectory so they can't browse directly to them.
evilclone
Forum Newbie
Posts: 5
Joined: Mon Oct 17, 2005 4:56 am

Post by evilclone »

@Sequalit: Thanks, I'll try it the next monday.

@timvw: I have direct access only to the webdirectory.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

In an environment where multiple groups (e.g. users, admin, webmasters) can use the same members area but only some pages for each of the groups I do the whitelist approach.

On each page I state what group can use a page and others get a 404 or other error message.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

create an includes folder, call it whatever you want, and assuming you are using Apache, create a .htaccess file and deny all?
DanUK
Forum Newbie
Posts: 2
Joined: Fri Oct 21, 2005 11:23 am

Post by DanUK »

Jenk wrote:create an includes folder, call it whatever you want, and assuming you are using Apache, create a .htaccess file and deny all?
Thats what id do IMO
Post Reply