Page 1 of 1
Detecting what file is including another file
Posted: Sat Jan 17, 2009 2:22 am
by pcman312
I've been pondering over how to enforce how/where/who includes a given PHP file and my question is: Is there a way for a PHP script to be able to detect what script is including it? In other words, if X.php is including Y.php, is there a way for Y.php to detect that it's being included by X.php? If I can detect the full url (
http://www.xyz.com/X.php), then I can enforce some rules regarding how a file is included. I don't really want to do an approach I read about earlier where you have something like this:
X.php
Y.php
Code: Select all
if ($ping != "pong")
// Some error message and exits this file
// The rest of the code for this page
Because a malicious php script could set $ping = "pong" before including Y.php, and the plan would fail.
I can use an .htaccess file to redirect away from any files that I don't want to be directly accessed (put all the included files into a folder, then redirect from that folder to somewhere nicer for instance). But again, this doesn't cover includes.
I've kind of rambled on a bit, but hopefully I've gotten across my problem.
Thanks in advance =)
Re: Detecting what file is including another file
Posted: Sat Jan 17, 2009 5:43 am
by Hannes2k
Hi,
you can use $_SERVER['SCRIPT_FILENAME']
e.g.
Code: Select all
<?php
if ($_SERVER['SCRIPT_FILENAME'] == __FILE__)
die("This script is for inclusion only!");
?>
Re: Detecting what file is including another file
Posted: Sat Jan 17, 2009 8:42 am
by kaisellgren
Hannes2k wrote:Hi,
you can use $_SERVER['SCRIPT_FILENAME']
e.g.
Code: Select all
<?php
if ($_SERVER['SCRIPT_FILENAME'] == __FILE__)
die("This script is for inclusion only!");
?>
It's not that simple
For example, some hosts will mess up these two, because the other one uses / as a directory separator the other value uses \
In my home computer, the returned values are:
SCRIPT_FILENAME: Z:/Portable Programs/Apache HTTPD/htdocs/devnet_test_file.php
__FILE__: Z:\Portable Programs\Apache HTTPD\htdocs\devnet_test_file.php
And therefore the script fails to work. A simple workaround:
Code: Select all
<?php
if (str_replace('/','\\',$_SERVER['SCRIPT_FILENAME']) == __FILE__)
die("This script is for inclusion only!");
?>
Re: Detecting what file is including another file
Posted: Sun Jan 18, 2009 12:05 am
by pcman312
Awesome. Thanks a lot. I did a print_r on $_SERVER to see what else I could extract from there on a given file. These all seem to give me the same information from both my includer and the included file:
Code: Select all
[SCRIPT_FILENAME] => /*****/public_html/temp/includer.php5
[REQUEST_URI] => /temp/includer.php5
[SCRIPT_NAME] => /temp/includer.php5
[PATH_TRANSLATED] => /*****/public_html/temp/includer.php5
[PHP_SELF] => /temp/includer.php5
Re: Detecting what file is including another file
Posted: Sun Jan 18, 2009 8:13 am
by kaisellgren
pcman312 wrote:Awesome. Thanks a lot. I did a print_r on $_SERVER to see what else I could extract from there on a given file. These all seem to give me the same information from both my includer and the included file:
Code: Select all
[SCRIPT_FILENAME] => /*****/public_html/temp/includer.php5
[REQUEST_URI] => /temp/includer.php5
[SCRIPT_NAME] => /temp/includer.php5
[PATH_TRANSLATED] => /*****/public_html/temp/includer.php5
[PHP_SELF] => /temp/includer.php5
SCRIPT_FILENAME can be used like stated above. REQUEST_URI could be something completely different and you should forget it (for example SEO URLs). SCRIPT_NAME is just a shorter version of the SCRIPT_FILENAME. PHP_SELF can not be used safely since under certain server configurations it may be different than what you expect. PATH_TRANSLATED, I do not know what it is.
Re: Detecting what file is including another file
Posted: Sun Jan 18, 2009 9:02 am
by pcman312
kaisellgren wrote:pcman312 wrote:Awesome. Thanks a lot. I did a print_r on $_SERVER to see what else I could extract from there on a given file. These all seem to give me the same information from both my includer and the included file:
Code: Select all
[SCRIPT_FILENAME] => /*****/public_html/temp/includer.php5
[REQUEST_URI] => /temp/includer.php5
[SCRIPT_NAME] => /temp/includer.php5
[PATH_TRANSLATED] => /*****/public_html/temp/includer.php5
[PHP_SELF] => /temp/includer.php5
SCRIPT_FILENAME can be used like stated above. REQUEST_URI could be something completely different and you should forget it (for example SEO URLs). SCRIPT_NAME is just a shorter version of the SCRIPT_FILENAME. PHP_SELF can not be used safely since under certain server configurations it may be different than what you expect. PATH_TRANSLATED, I do not know what it is.
Well, since this will be run off of our own server, of which I have full root access to and have apache and php all to ourselves, I don't think it would be a problem. Nevertheless, I'll still use SCRIPT_FILENAME or SCRIPT_NAME for simplicity. Thanks again.