Directly inaccessible php script
Moderator: General Moderators
Directly inaccessible php script
How can I make a .php document not directly accessible when the user uses the full path for it? I still want it to be available for include/require_once though.
Re: Directly inaccessible php script
Make it check for something.. eg:
Then you'd just need to define SECURITYCONSTANT in the scripts that are allowed to use the file.
That said though, generally you don't need to worry about this sort of thing. Include files shouldn't really be echo'ing anything so if you call one from a browser you'll just get a blank page.
Code: Select all
<?php
if (!defined("SECURITYCONSTANT")) { exit; }
// rest of the scriptThat said though, generally you don't need to worry about this sort of thing. Include files shouldn't really be echo'ing anything so if you call one from a browser you'll just get a blank page.
Re: Directly inaccessible php script
Ah I see, nice idea, thanks.
I was using
but it didn't work correctly with included files.
I was using
Code: Select all
if ('globalsettings.php' == basename($_SERVER['SCRIPT_FILENAME']))
die ('No direct access.');- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: Directly inaccessible php script
I had a similar thought about this the other day, but as onion2k said, if it doesn't echo anything it's OK.
I have a partially related problem though. I've got a php file which generates an XML document from some MySQL data, and then marks the MySQL rows that have been put into the document as "used" when it's done. This is fine for when I use the php file properly, through an AJAX call, but if someone grabs the URL from my JavaScript code in the page source, and then visits my php file directly, it will mark the MySQL rows as "used" when they haven't actually been used properly.
So my question is, how do I get around this? Rethink the logic?
Ps. Shall I split this into a new topic because it's too unrelated?
I have a partially related problem though. I've got a php file which generates an XML document from some MySQL data, and then marks the MySQL rows that have been put into the document as "used" when it's done. This is fine for when I use the php file properly, through an AJAX call, but if someone grabs the URL from my JavaScript code in the page source, and then visits my php file directly, it will mark the MySQL rows as "used" when they haven't actually been used properly.
So my question is, how do I get around this? Rethink the logic?
Ps. Shall I split this into a new topic because it's too unrelated?
Re: Directly inaccessible php script
For the original poster:
An alternative is to place the files in a folder outside the web root - in this way Apache will never be able to serve it directly, while PHP will be able to reference it in include().
For jayshields:
How do you define "properly used" in the context of the AJAX call. There should be a server-side mechanism for checking if the action should be carried or not. How does your system work with javascript disabled?
An alternative is to place the files in a folder outside the web root - in this way Apache will never be able to serve it directly, while PHP will be able to reference it in include().
For jayshields:
How do you define "properly used" in the context of the AJAX call. There should be a server-side mechanism for checking if the action should be carried or not. How does your system work with javascript disabled?
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: Directly inaccessible php script
Well, to set the scene a little bit, the web page calls the PHP script every so many seconds to check if any new rows have been added to the table. If there has been any, then the PHP script returns an XML document with the row data in it, and then marks the said rows as "old", so that next time the script gets called, the rows won't be new anymore, and the script will never return the same row data twice.Mordred wrote:How do you define "properly used" in the context of the AJAX call. There should be a server-side mechanism for checking if the action should be carried or not. How does your system work with javascript disabled?
By saying "when the script is not used properly" I mean that if someone went directly the script, which would mark any new rows as "old", meaning that when my AJAX call goes to get any new rows it might have missed some out.
The problem is that I can't think of a good server-side mechanism to prevent this. It's related to this post because I thought .htaccess could solve it, but I don't think that it could.
My system does not work with JavaScript disabled.
Re: Directly inaccessible php script
@jay: is this single-user code? What happens if one user legitimately hits the AJAX code -- he would prevent a second user from getting the "new" lines. It seems that you lack a proper authentication scheme, and yet you need one 
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: Directly inaccessible php script
Well, without going into a lot of detail, you pass your user ID into the script via a GET parameter, and it only returns rows which match your user ID. Also, the whole web application is (going to be) prevented from being accessed outside the local network via .htaccess. So it's not like anyone is going to be trying to do anything malicious.
So, mentioning that, it isn't crucial for me to prevent direct access to the script but it would be nice.
So, mentioning that, it isn't crucial for me to prevent direct access to the script but it would be nice.
Re: Directly inaccessible php script
Why not set up a random token that's stored in the user's session when they log in that's embedded in the Javascript for the AJAX when the HTML code is generated the first time... then append to the URL that token using Javascript so it's not something you can just copy and paste. You could even hold it in a Javascript variable and change it each time the PHP script it called so you can't even view anywhere it in the source. Obviously if the token doesn't match what's in the user's session you'd reject the call.
EG
To make it a bit more secure you could leave the secret token out of the HTML and make the page fetch it via AJAX when the document loads.
EG
Code: Select all
User logs in - generate token of ABCDEF
HTML page for the app is built - embed 'var secrettoken = 'ABCDEF';'
App calls 'ajax.php?token='+secrettoken
ajax.php sets a new token for the session and returns it (plus the usual data) - secrettoken=GHIJKL
App calls 'ajax.php?token='+secrettoken
ajax.php sets a new token for the session and returns it (plus the usual data) - secrettoken=XYZ123
User tries to view ajax.php directly, maybe with the token from the HTML - ajax.php?token=ABCDEF
ajax.php tells the user to go away- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: Directly inaccessible php script
I thought that would be the only type of route to go down. Seems a bit overkill for my situation though to be honest. I'll see how it pans out. If I come into trouble later on with this I'll check back here and have a go at implementing something similar to what you said.