how to prevent direct access to php script?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

how to prevent direct access to php script?

Post by markthien »

Hi,
i store all my php scripts under /bin folder like process-signup.php. if user directly go to http://www.menggaris.com/bin/process-signup.php, then the script will eventually executed and data will be saved into database. user should go to signup.php first.
how can I prevent this situation from happening?
I am wondering like is there anyway to detect if user directly access process-signup.php instead of accessing from signup.php

Thanks & regards,
Mark
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: how to prevent direct access to php script?

Post by alex.barylski »

Code: Select all

<?php defined('PROJECT_LOADED') or die('Invalid Request');
Every script file that is not directly invocable should have this as the very first line. Every script that is accessible directly should then define this somewhere before including the support scripts.

Alternatively (and preferably) you should store all files (except index.php and assets) outside the document root.
markthien
Forum Commoner
Posts: 33
Joined: Fri Feb 13, 2009 7:50 pm

Re: how to prevent direct access to php script?

Post by markthien »

Hi PCSpectra,

I should I put the process-signup.php outside the document root folder? for example, consider the following code :

Code: Select all

<form id="signup_form" action="bin/process-signup.php" method="post">
        <input type="text" name="name" id="name"/>
        <input type="text" name="email" id="email"/>
        <input type="submit" value="submit" name="submit" id="submit"/>
</form>
 
and my document root path is /home/webadministrator/www/root/
and all my php script is under /home/webadministrator/www/root/bin
and now if I put process-signup.php under /home/websiteadmin/www/bin
how should I put the path in the html form?
and I don't think I can put like this?

Code: Select all

<form id="signup_form" action="/home/websiteadmin/www/bin/process-signup.php" method="post">

regards,
Mark
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: how to prevent direct access to php script?

Post by John Cartwright »

It doesn't make any sense to want to protect that file from being directly accessed. When you make the form post to this file, you are directly accessing it. By putting it outside the webroot you are eliminating access to the file from www.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: how to prevent direct access to php script?

Post by alex.barylski »

I should I put the process-signup.php outside the document root folder? for example, consider the following code :
If the file/script is (requires) accessible (such as a signup form) then no -- you need that within your docroot -- but any of it's included files say something like this:

Code: Select all

<?php
 
  include 'inc/functions.php';
 
  echo 'Do your thing';
'inc' sub-folder might (for technical reasons -- such as being on a share host and not having access to outside of docroot) be required to be kept in the accessible view -- in which case you would use the check I show previously inside the functions.php to ensure that script wasn't directly accessible.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: how to prevent direct access to php script?

Post by josh »

Set a session variable on the 1st page and check for it on the 2nd page
Post Reply