Restricting direct access to a php page

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
a4avaiz
Forum Newbie
Posts: 1
Joined: Thu Feb 22, 2007 9:31 am

Restricting direct access to a php page

Post by a4avaiz »

Hi!

I am new to php. I am trying to create a contact form.I have two php files: contact.php and insert.php.

Contact.php contains the form elements. Insert.php contains only the database connection string and the INSERT query. I also gave an "Record added" echo statement in insert.php, if the INSERT query was successful.

The problem arises when I directly type the insert.php in the URL. It prints "Record Added". How can I restrict direct access to insert.php? How can I have a forbidden message?

I did do a search before I posted. One suggestion was to define a constant in insert.php and use it as a flag, it works when you try to access the file directly, but that doesnt work when we are posting data from contact.php. Other suggestion was to create a .htaccess user authentication, but thats not what I am looking for.

Which is the best way to restict direct access completely?

Thanks in advance!

-Avais
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_SERVER['REQUEST_METHOD'] maybe?
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

I suggest you to create a folder "private" then move insert.php to it. Inside folder "private", create a file ".htaccess" -- [dot]htaccess --

in that file type:

Code: Select all

deny from all
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

a "deny from all" would render posts to it also be denied.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

easiest way in my book:

[quote="contact.php]

Code: Select all

<?php 
define("non-hacked",1);

//CODE...

?>
[/quote]
insert.php wrote:

Code: Select all

<?php 
if(defined("non-hacked")){

//code...


//below optional 

} else  {
    die("No hacking allowed!");

//below end optional 


} // BUT MAKE SURE you add a end brace
?>
Tommy1402
Forum Newbie
Posts: 23
Joined: Tue Oct 03, 2006 4:33 am
Location: bandung
Contact:

Post by Tommy1402 »

feyd wrote:a "deny from all" would render posts to it also be denied.
yup, but for good practice, I guess we should keep only one door opened.
Post Reply