Page 1 of 1

How to deny direct access by url?

Posted: Fri Oct 21, 2005 4:54 am
by evilclone
Hi, my problem is that I have a lot of php pages that need to be called by other specified php pages to work properly. This means that if someone try to access these pages directly by typing the url of these pages, he can do some damages. If I set session variable that have to be checked on every protected page I can get rid of this problem, but only a little. There's a lot of solution to crack my system.
Any ideas?

Re: How to deny direct access by url?

Posted: Fri Oct 21, 2005 5:23 am
by n00b Saibot
evilclone wrote:There's a lot of solution to crack my system.
There is no point securing an inherently insecure system. This is not the correct way an app should be coded imo...

Posted: Fri Oct 21, 2005 7:08 am
by feyd
when I want to disallow direct access of a script I use something like this:

Code: Select all

if($_SERVER['PATH_TRANSLATED'] == __FILE__) {
  die();
}

Posted: Fri Oct 21, 2005 7:29 am
by phpdevuk
might be worth displaying some kind of error message and redirecting back to the correct page

Posted: Fri Oct 21, 2005 8:06 am
by evilclone
feyd wrote:when I want to disallow direct access of a script I use something like this:

Code: Select all

if($_SERVER['PATH_TRANSLATED'] == __FILE__) {
  die();
}
The variable $_SERVER['PATH_TRANSLATED'] give me nothing in every situation @_@

@n00b Saibot: Yeah, maybe you're right but I started programming server side 2 weeks ago, so I donno all the tricks.

Posted: Fri Oct 21, 2005 8:09 am
by feyd
the translated path may not be getting set by your server.. you can possibly use $_SERVER['SCRIPT_NAME'] with realpath() as an alternate.

Posted: Sat Oct 22, 2005 1:18 am
by Sequalit
I have a solutionf or you man...

This is a easy way to secure your system...

first on your page that is calling other pages, use this command..

make sure to put it at the top of your script, it goes where session commands are set

Code: Select all

//session variables...
define("X",null);
//your page...
that will define a variable named varname..

now on your pages you dont want direct access too put this code

make sure this is the FIRST thing that is on the file!!!!

Code: Select all

if(!defined("X")){
	die("Hacking attempt...");//or you could redirect, whatever you want....
}

//your program
this should secure your pages you dont want to be accessed from typing it in the url without going through another page first.

what its doing is its defining the variable X for only that page...

and its checking if X is defined... if its not, well then it kills the script from executing, but if it is defined(going through the right page) then it continues normally...

Posted: Sat Oct 22, 2005 4:23 am
by timvw
There is a simple solution: If people are not allowed to browse to files, simply place them outside your webdirectory so they can't browse directly to them.

Posted: Sat Oct 22, 2005 6:25 am
by evilclone
@Sequalit: Thanks, I'll try it the next monday.

@timvw: I have direct access only to the webdirectory.

Posted: Sat Oct 22, 2005 10:21 am
by AGISB
In an environment where multiple groups (e.g. users, admin, webmasters) can use the same members area but only some pages for each of the groups I do the whitelist approach.

On each page I state what group can use a page and others get a 404 or other error message.

Posted: Sat Oct 22, 2005 1:43 pm
by Jenk
create an includes folder, call it whatever you want, and assuming you are using Apache, create a .htaccess file and deny all?

Posted: Sat Oct 22, 2005 2:40 pm
by DanUK
Jenk wrote:create an includes folder, call it whatever you want, and assuming you are using Apache, create a .htaccess file and deny all?
Thats what id do IMO